MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is off, state‑changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec‑Fetch‑Site header. A remote unauthenticated attacker can craft a malicious web page that causes an authenticated MISP user’s browser to issue cross‑site requests to MISP automation endpoints. If the requests are accepted, they run with the privileges of the victim user, potentially allowing unauthorized changes to MISP data or configuration. The weakness is a classic CSRF flaw and is classified as CWE‑352; the disabled setting also represents a broader enforcement vulnerability (CWE‑1188).

The vulnerability applies to any MISP deployment that retains its default configuration where Security.check_sec_fetch_site_header is disabled. The only vendor/product identifier is misp:misp, and no particular product version is listed; the issue exists wherever the default security setting remains turned off.

The CVSS score is 7.1, indicating a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers require only to entice a logged‑in user to visit a malicious site; once that happens, the forged requests are processed with the victim’s privileges. No special access or network credentials are needed, making this a low‑effort, high‑impact attack vector that can be perpetrated from any browser or device that controls the victim’s session.