Description
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. This vulnerability is fixed in 2.5.37.
Published: 2026-05-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper access control flaw in the authentication key reset functionality of MISP allows an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. The vulnerability hinges on the fact that non-site administrators can access or reset site administrator authentication keys without explicit restriction, enabling an attacker to obtain a newly generated key for a higher‑privileged account. The attacker could then log in with that key and gain full site administrator privileges, compromising confidentiality, integrity, and availability of the entire site. This flaw is defined as CWE‑863.

Affected Systems

The issue affects installations of the MISP threat intelligence platform running any version prior to 2.5.37. Users of earlier releases that have enabled the authentication key reset feature without restricting access to site administrators are at risk.

Risk and Exploitability

The CVSS score of 8.6 classifies the vulnerability as high severity. The EPSS score is not available, and the flaw is not yet listed in CISA KEV. The likely attack vector requires the victim to be authenticated as an organization administrator; from there the attacker can trigger the key reset and obtain privileged access. Because the flaw permits full administrative control once exploited, the impact is critical for the affected system.

Generated by OpenCVE AI on May 13, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MISP to version 2.5.37 or newer to apply the vendor fix.
  • Audit current organizational administrator assignments and restrict the authentication key reset capability to site administrators only.
  • Review access control configurations to enforce proper permissions for key reset operations and verify that future patches continue to restrict this path.

Generated by OpenCVE AI on May 13, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. This vulnerability is fixed in 2.5.37.
Title MISP: Improper access control in auth key reset allows privilege escalation to site administrator
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:52:16.587Z

Reserved: 2026-05-05T20:15:20.632Z

Link: CVE-2026-44380

cve-icon Vulnrichment

Updated: 2026-05-14T16:05:25.594Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T21:16:48.623

Modified: 2026-05-15T17:42:29.847

Link: CVE-2026-44380

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:45:06Z

Weaknesses