8.8
CVE-2026-56424
- EPSS 0.36%
- Veröffentlicht 22.06.2026 12:17:17
- Zuletzt bearbeitet 23.06.2026 15:16:39
- Quelle 5a6e4751-2f3f-4070-9419-94fb35
- CVE-Watchlists
- Unerledigt
Broken access control in MISP core allows cross-organization unauthorized modification or deletion of analyst data, event reports, collections, templates, and decaying models
MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user’s organization. The affected paths included: * Event Reports tag removal: the route-authorized report could differ from the report ID used for tag detachment, enabling cross-organization tag removal from another event report * Collection Elements bulk deletion: bulk deletion authorized against a collection whose ID matched the collection-element row ID, rather than the element’s actual parent collection, enabling deletion of elements from collections the user did not own. * Analyst Data capture/update: nested analyst data updates could overwrite an existing record without applying the normal canEditAnalystData ownership check, enabling cross-organization overwrite of analyst data records. * Template Elements editing: editing authorized against a template whose ID matched the template-element ID, rather than the element’s actual parent template, enabling unauthorized edits to another organization’s template elements. * Decaying Model editing and mappings: write paths loaded models using view-scope access but did not verify edit ownership, enabling users to edit or remap visible models owned by another organization. Successful exploitation could allow an authenticated user with subsystem-specific permissions to perform unauthorized cross-organization modifications or deletions of MISP data, resulting in integrity loss, unauthorized tampering with shared intelligence, and disruption of analyst workflows.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Misp-project ≫ Misp Version < 2.5.42
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.36% | 0.278 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| 5a6e4751-2f3f-4070-9419-94fb35b644e8 | 7.1 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://github.com/MISP/MISP/commit/24d7e91339a3ef043652dd5799c36e5065b2bb4a
https://github.com/MISP/MISP/commit/57ad774d21bd1863d060a9e6e73ae54eb96784ce
https://github.com/MISP/MISP/commit/3aecc04d5816189412b589cf590c6dbe9a8db5c0
https://github.com/MISP/MISP/commit/ba2f51fe7440ba2c6043ccde858cac1e25f96931
https://github.com/MISP/MISP/commit/744005cefdc3b943bd29669c3b34cc66a5fc2154