Description
MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-related fields such as id, org_id, orgc_id, and user_id.

An authenticated attacker with access to the affected endpoints could craft requests containing protected fields in order to alter object ownership, redirect an update to another record, overwrite existing event delegation requests, or modify shadow attribute proposals belonging to another organization. This could result in unauthorized modification of MISP objects and, depending on object visibility and sharing configuration, unauthorized access to or transfer of sensitive threat intelligence data.

The issue was fixed by explicitly pinning ownership and identity fields to their stored values during edit operations and by removing user-supplied primary keys from create-only save paths.

Affected components:

* CollectionsController::edit()
* EventDelegationsController::delegateEvent()
* ShadowAttributesController::edit()
* TagCollectionsController::edit()915
* TagCollectionsController::editWithTags()


Attack requirements:
The attacker must be authenticated and able to reach the affected MISP endpoints. No user interaction is required.
Published: 2026-06-12
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MISP is affected by several mass assignment weaknesses that allow an authenticated user to submit fields that should be controlled by the server, such as identifiers and ownership attributes. By crafting a request that includes these protected fields, the attacker can alter the owner of an event, redirect updates to other records, overwrite event delegation requests, or modify shadow attribute proposals belonging to different organizations. The primary consequence is the unauthorized modification of MISP objects, and depending on visibility and sharing settings, the attacker may gain access to or transfer sensitive threat intelligence data. The vulnerability is a classic example of CWE‑639, where information leakage through improper input validation is exploited for privilege escalation.

Affected Systems

The platform MISP (Vendor: misp, Product: MISP) and all installations that include the following controllers are impacted: CollectionsController::edit(), EventDelegationsController::delegateEvent(), ShadowAttributesController::edit(), TagCollectionsController::edit(), and TagCollectionsController::editWithTags(). No specific version details are listed, so any current deployment that contains these components is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. The EPSS score is not available, but the CVE notes that exploitation requires authentication and network access to the affected endpoints, with no user interaction needed. The vulnerability is not listed in the CISA KEV catalog, suggesting that it is not currently exploited in the wild. An attacker who can authenticate to MISP and reach these endpoints can construct HTTP requests that override ownership fields, thereby elevating privileges or causing unauthorized data disclosure or modification.

Generated by OpenCVE AI on June 12, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MISP release or apply the patch that pinning ownership and identity fields to stored values during edit operations and removes user-supplied primary keys from create save paths (commit 9341690e9b6dde7f0605edea5533e05ba7362e35).
  • Restrict access to the vulnerable controllers so that only privileged administrators can hit the edit and delegate endpoints, enforcing the principle of least privilege.
  • Review any custom code or modifications that re‑enable mass assignment for these controllers, and correct them to accept only permitted fields, or disable the affected endpoints if immediately patching is not feasible.

Generated by OpenCVE AI on June 12, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Fri, 12 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-related fields such as id, org_id, orgc_id, and user_id. An authenticated attacker with access to the affected endpoints could craft requests containing protected fields in order to alter object ownership, redirect an update to another record, overwrite existing event delegation requests, or modify shadow attribute proposals belonging to another organization. This could result in unauthorized modification of MISP objects and, depending on object visibility and sharing configuration, unauthorized access to or transfer of sensitive threat intelligence data. The issue was fixed by explicitly pinning ownership and identity fields to their stored values during edit operations and by removing user-supplied primary keys from create-only save paths. Affected components: * CollectionsController::edit() * EventDelegationsController::delegateEvent() * ShadowAttributesController::edit() * TagCollectionsController::edit()915 * TagCollectionsController::editWithTags() Attack requirements: The attacker must be authenticated and able to reach the affected MISP endpoints. No user interaction is required.
Title MISP mass assignment vulnerabilities allow unauthorized modification of ownership and delegation records
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-12T19:59:58.787Z

Reserved: 2026-06-12T19:59:41.236Z

Link: CVE-2026-54361

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T20:16:48.110

Modified: 2026-06-12T20:16:48.110

Link: CVE-2026-54361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T21:30:07Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key