Description
An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcibly overwrite an event template owned by another organization.



Successful exploitation could allow unauthorized modification of another organization’s event template, potentially altering template structure, attributes, or metadata used for subsequent event creation or sharing workflows. Site administrators are not affected by this restriction, as they are explicitly allowed to overwrite templates across organizations.



The issue was fixed by enforcing an ownership check before overwrite: non-site-admin users may only overwrite templates owned by their own organization.
Published: 2026-06-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the MISP Event Template Importer allowed an authenticated user to overwrite an event template belonging to another organization without legitimate ownership verification. The vulnerability stems from neglecting to enforce that the importing user’s organization matches the template’s owner, leaving the integrity of templates exposed. This flaw enables users to alter the structure, attributes, or metadata of organizational event templates, potentially disrupting downstream event creation and sharing processes. The weakness is classified as an authorization bypass (CWE-862).

Affected Systems

The issue affects installations of MISP where the Event Template Importer is enabled. Any deployment of MISP that has not incorporated the commit that enforces ownership checking (commit 7c2200d143bef86aaf58d701b6968a843097db69) is susceptible. Site administrators remain unaffected because they are intentionally permitted cross‑organization overwrites.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity. An attacker must be an authenticated user with template import rights to exploit the flaw, which limits the attack surface to authorized personnel within an organization. Since the EPSS score is unavailable, the likelihood of exploitation is uncertain, but the absence from the CISA KEV catalog suggests no confirmed widespread exploitation yet. Still, the vulnerability permits unauthorized alteration of cross‑organization templates, which can compromise the integrity of shared threat intelligence flows.

Generated by OpenCVE AI on June 4, 2026 at 14:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MISP to a release containing the ownership check fix (commit 7c2200d143bef86aaf58d701b6968a843097db69).
  • Restrict template import workflow to users whose organization matches the template owner; enforce this at the role or permission level.
  • Audit existing event templates for unauthorized changes and monitor import logs for anomalous overwrite activity.

Generated by OpenCVE AI on June 4, 2026 at 14:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcibly overwrite an event template owned by another organization. Successful exploitation could allow unauthorized modification of another organization’s event template, potentially altering template structure, attributes, or metadata used for subsequent event creation or sharing workflows. Site administrators are not affected by this restriction, as they are explicitly allowed to overwrite templates across organizations. The issue was fixed by enforcing an ownership check before overwrite: non-site-admin users may only overwrite templates owned by their own organization.
Title MISP Event template importer authorization bypass
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-04T13:52:31.111Z

Reserved: 2026-06-04T13:03:48.458Z

Link: CVE-2026-10855

cve-icon Vulnrichment

Updated: 2026-06-04T13:52:24.944Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T14:16:37.797

Modified: 2026-06-08T14:03:35.103

Link: CVE-2026-10855

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:00:15Z

Weaknesses