CVE-2026-54362 - Vulnerability Details

- MISP template builder exposes non-visible custom galaxies across organisations

Description

An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users.

Published: 2026-06-12

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An incorrect visibility condition in the MISP event template builder allows authenticated non‑site‑admin users to view private galaxy definitions that should be restricted to their own organization. This results in unauthorized disclosure of metadata about custom galaxies belonging to other organizations. The flaw is rooted in improper authorization (CWE‑863), where a PHP comparison expression was used instead of a query condition to restrict visibility.

Affected Systems

Any installation of the MISP platform that includes the event template builder feature is affected, regardless of version, because the vulnerability stems from the code base rather than a specific release. The issue exists for the community edition and any fork that has not applied the corrective commit referenced in the advisory.

Risk and Exploitability

With a CVSS score of 5.3, the risk is moderate; the EPSS score is currently not available, and the vulnerability is not listed in CISA KEV. The typical attack vector involves an authenticated user with non‑site‑admin permissions navigating the web interface to the template builder. Once the interface lists galaxies, the attacker can see galaxies owned by other organizations and gain insight into their content, which may lead to further exploitation if additional weaknesses are present elsewhere.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

misp

unaffected

Version	Status	Constraints
`0`	affected	< 2.5.40

No data.

Vendor Product Confidence Versions

Misp

100%

Version	Status	Scheme	Platform
`[0,2.5.40)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest MISP release that contains the fix for this issue.
Temporarily disable the event template builder for non‑site‑admin users until the patch is applied.
Audit and adjust galaxy visibility settings so that only organization‑owned galaxies are accessible to users within the same organization.

Generated by OpenCVE AI on June 12, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/MISP/MISP/commit/8aa2bb6d1af6e8c57c8d8437cf203acb8bce7a53

History

Sat, 13 Jun 2026 02:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Misp Misp misp
Vendors & Products		Misp Misp misp

Fri, 12 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users.
Title		MISP template builder exposes non-visible custom galaxies across organisations
Weaknesses		CWE-863
References		https://github.com/MISP/MISP/commit/8aa2bb6d1af6e8c57c8d8437cf203acb8bce7a53
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}`

Subscriptions

Misp Misp

MITRE

Status: PUBLISHED

Assigner: CIRCL

Published: 2026-06-12T20:08:55.486Z

Updated: 2026-06-12T20:08:55.486Z

Reserved: 2026-06-12T20:07:08.918Z

Link: CVE-2026-54362

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T21:16:24.843

Modified: 2026-06-12T21:16:24.843

Link: CVE-2026-54362

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-13T01:45:26Z

Weaknesses

CWE-863
Incorrect Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object