Description
An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership but did not exclude higher-privileged site administrator users. As a result, an organization administrator could potentially view or alter site administrator user settings and related login profile information, crossing the intended privilege boundary between organization administration and site-wide administration.

The patch hardens the ACL logic by excluding site administrator accounts from organization administrator–managed user sets, adding explicit authorization failure when a target user is not administrable, and ensuring user setting and login profile operations fail closed.
Published: 2026-06-12
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MISP contains an improper authorization flaw that allows an authenticated organization administrator to view or change the settings of site administrator accounts within the same organization. The vulnerability arises from access‑control logic that scoped administrative actions by organization membership without excluding higher‑privileged site administrators. As a result, an organization administrator can cross the intended privilege boundary and alter administrative user settings and login profile information, effectively elevating their influence over site‑wide administration. The weakness maps to CWE-639 and CWE-863, highlighting insufficient authorization checks.

Affected Systems

The affected product is MISP, as identified by the CNA "mispro:mis". All installations that include the legacy ACL logic—prior to the patch that hardens the ACLs—are vulnerable. No specific version ranges are listed in the CVE, so any MISP deployment using the default configuration before the recent ACL fix is potentially impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity, and the EPSS score is not available, while it is not listed in the CISA KEV catalog. Because the flaw requires an authenticated organization administrator, an attacker needs legitimate credentials, but once they have them, they can exploit the missing authorization bypass. The likely attack vector is via the web interface or API authenticated as an organization administrator. The vulnerability’s impact is limited to configuration changes of site administrators; however, this can destabilize site governance and compromise overall security posture.

Generated by OpenCVE AI on June 12, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest MISP release that includes the ACL hardening fix; the patch removes site administrators from the sets managed by organization administrators and enforces explicit authorization failure for non‑administrable targets.
  • After applying the patch, verify that organization administrators can no longer modify site administrator user settings or login profiles via the web UI or API. Conduct a quick audit of the ACL configuration to confirm that site administrator accounts are excluded from organization‑level management operations.
  • If an immediate patch cannot be applied, temporarily remove or downgrade the organization administrator role for all users until the fix can be installed, and ensure that no organization administrators have privileges that allow site admin configuration changes.

Generated by OpenCVE AI on June 12, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership but did not exclude higher-privileged site administrator users. As a result, an organization administrator could potentially view or alter site administrator user settings and related login profile information, crossing the intended privilege boundary between organization administration and site-wide administration. The patch hardens the ACL logic by excluding site administrator accounts from organization administrator–managed user sets, adding explicit authorization failure when a target user is not administrable, and ensuring user setting and login profile operations fail closed.
Title MISP improper authorization allows organization administrators to modify site administrator user settings
Weaknesses CWE-639
CWE-863
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-12T20:05:08.619Z

Reserved: 2026-06-12T19:25:24.593Z

Link: CVE-2026-54357

cve-icon Vulnrichment

Updated: 2026-06-12T20:05:05.376Z

cve-icon NVD

Status : Received

Published: 2026-06-12T20:16:47.583

Modified: 2026-06-12T20:16:47.583

Link: CVE-2026-54357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T21:00:19Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-863

    Incorrect Authorization