Description
A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity.



The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.
Published: 2026-06-04
Score: 9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A mass assignment flaw in the MISP user edit function allows an authenticated attacker to supply a different User.id value than the session’s own, causing the system to apply updates to an unintended account. This is a CWE‑269 improper authorization vulnerability. The attacker can modify any fields that the edited user role permits, thereby compromising the integrity of another account. This enables unauthorized control over user attributes without having elevated privileges beyond those harvested through the normal authentication channel.

Affected Systems

The vulnerability is present in the MISP platform provided by the MISP vendor. No specific product version is listed in the CNA data, so any build that has not applied the referenced patch could be impacted.

Risk and Exploitability

The CVSS score of 9 signals a critical level of risk, and while an EPSS score is not provided, the lack of exploitation statistics does not mitigate the severity. The vulnerability requires that the attacker be authenticated and possess sufficient rights to perform a user edit. If the attacker can craft a custom request—likely through the web interface or API—the flaw can be exploited remotely. The issue is not catalogued in CISA KEV, but the high CVSS rating warrants immediate attention.

Generated by OpenCVE AI on June 4, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restart the MISP service after applying the patch found in commit 1be8c413b7104a889dfd30c5b1986e3ab17238e8
  • Verify that all user edit requests exclude the User.id field and that the application enforces role‑based field restrictions
  • Restrict API or web access to the user‑edit endpoint to only privileged roles and monitor for anomalous edit activity

Generated by OpenCVE AI on June 4, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Thu, 04 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity. The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.
Title MISP user edit endpoint mass assignment vulnerability allows unauthorized user account modification
Weaknesses CWE-269
References
Metrics cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-04T17:29:49.348Z

Reserved: 2026-06-04T14:37:51.334Z

Link: CVE-2026-10868

cve-icon Vulnrichment

Updated: 2026-06-04T17:29:44.795Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T16:16:33.867

Modified: 2026-06-04T16:20:27.330

Link: CVE-2026-10868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T17:00:15Z

Weaknesses