Description
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one.

An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups.

Affected component:
app/Controller/SharingGroupsController.php, add() action
Published: 2026-06-12
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A mass‑assignment flaw in the sharing group creation endpoint allows an authenticated user with permission to add sharing groups to include a primary key in the payload. CakePHP then updates that existing record instead of creating a new one, bypassing the normal edit access‑control checks. The attacker can therefore take over or alter sharing groups they do not otherwise have access to, compromising the confidentiality and integrity of information shared through those groups.

Affected Systems

The vulnerability affects the MISP platform, specifically its sharing group creation logic in the SharingGroupsController add() action. No specific version information is supplied, so any MISP installation running the unpatched code is susceptible.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. Detailed EPSS data is unavailable, but the lack of a KEV listing suggests no widespread exploitation has been confirmed. Nonetheless, because the attack requires only authentication and the relatively common permission to create sharing groups, the likelihood of exploitation is significant for organizations that grant such privileges broadly. The risk is therefore moderate to high, especially for environments where sharing groups contain sensitive data.

Generated by OpenCVE AI on June 12, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MISP patch that removes the mass assignment vulnerability (see commit 687e7cb530ae0e2faaadf5e3e44712258fb3ef1b).
  • Limit the 'add sharing groups' permission to trusted administrators or remove it for users who do not need to create new groups.
  • Review audit logs for suspicious sharing group modifications and ensure existing groups have proper ownership and permissions.

Generated by OpenCVE AI on June 12, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Fri, 12 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one. An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups. Affected component: app/Controller/SharingGroupsController.php, add() action
Title MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-12T19:51:44.187Z

Reserved: 2026-06-12T19:51:37.078Z

Link: CVE-2026-54360

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T20:16:47.980

Modified: 2026-06-12T20:16:47.980

Link: CVE-2026-54360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:00:20Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key