Description
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37.
Published: 2026-05-13
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 2.5.37, the MISP threat‑intel platform accepted unvalidated ordering values from request parameters and concatenated them directly into SQL ORDER BY clauses. The vulnerability enables an attacker with access to the event or shadow attribute listing endpoints to inject arbitrary SQL fragments, potentially leading to data disclosure, modification, or other database‑level consequences. The weakness is classified as CWE‑89, a classic SQL injection flaw that can compromise confidentiality and integrity of the underlying database.

Affected Systems

The affected product is MISP version 2.5.36 and earlier. Versions 2.5.37 and later contain the fix. The issue arises only on installations that expose the listing endpoints to authenticated users, which is common in typical MISP deployments.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. No EPSS value is available, so the exploitation probability is uncertain, but the lack of a KEV listing suggests no publicly known exploits; nevertheless, the generic nature of SQL injection implies a high likelihood of future attacks. The attack can be performed remotely by any user who can reach the listing endpoints and is authorized to use the ordering parameters, indicating a remote vector with user interaction requirements. The maximal impact depends on the database role used by the application; if the application runs with elevated privileges, the damage could be extensive, whereas a lower‑privilege role would limit the scope to the data the user may otherwise access.

Generated by OpenCVE AI on May 13, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MISP installation to version 2.5.37 or later, which removes the vulnerable code path.
  • If an upgrade cannot be performed immediately, disable the ordering parameters or block the affected listing endpoints using the web application firewall or MISP configuration.
  • Ensure that the database user account used by MISP has only the necessary privileges, limiting the potential damage of an injected query.

Generated by OpenCVE AI on May 13, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37.
Title MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:53:03.382Z

Reserved: 2026-05-05T20:15:20.632Z

Link: CVE-2026-44381

cve-icon Vulnrichment

Updated: 2026-05-14T15:52:57.219Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T21:16:48.770

Modified: 2026-05-15T17:37:06.157

Link: CVE-2026-44381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:45:06Z

Weaknesses