CVE-2026-9084

EPSS 0.18%
Veröffentlicht 20.05.2026 14:22:59
Zuletzt bearbeitet 20.05.2026 17:31:45
Quelle 5a6e4751-2f3f-4070-9419-94fb35
CVE-Watchlists
Login
Unerledigt
Login

MISP OIDC authentication bypass via automatic email-based account linking under insecure IdP configurations

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellermisp

≫

Produkt misp

Default Statusunaffected

Version <= 2.5.37

Version 2.5.0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.079

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
5a6e4751-2f3f-4070-9419-94fb35b644e8	6	0	0	CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172

https://nvd.nist.gov/vuln/detail/CVE-2026-9084

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-9084

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-9084

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-9084