Description
An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect visibility condition in the MISP event template builder allows authenticated non‑site‑admin users to view private galaxy definitions that should be restricted to their own organization. This results in unauthorized disclosure of metadata about custom galaxies belonging to other organizations. The flaw is rooted in improper authorization (CWE‑863), where a PHP comparison expression was used instead of a query condition to restrict visibility.

Affected Systems

Any installation of the MISP platform that includes the event template builder feature is affected, regardless of version, because the vulnerability stems from the code base rather than a specific release. The issue exists for the community edition and any fork that has not applied the corrective commit referenced in the advisory.

Risk and Exploitability

With a CVSS score of 5.3, the risk is moderate; the EPSS score is currently not available, and the vulnerability is not listed in CISA KEV. The typical attack vector involves an authenticated user with non‑site‑admin permissions navigating the web interface to the template builder. Once the interface lists galaxies, the attacker can see galaxies owned by other organizations and gain insight into their content, which may lead to further exploitation if additional weaknesses are present elsewhere.

Generated by OpenCVE AI on June 12, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MISP release that contains the fix for this issue.
  • Temporarily disable the event template builder for non‑site‑admin users until the patch is applied.
  • Audit and adjust galaxy visibility settings so that only organization‑owned galaxies are accessible to users within the same organization.

Generated by OpenCVE AI on June 12, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users.
Title MISP template builder exposes non-visible custom galaxies across organisations
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-15T18:17:46.838Z

Reserved: 2026-06-12T20:07:08.918Z

Link: CVE-2026-54362

cve-icon Vulnrichment

Updated: 2026-06-15T18:17:41.372Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T21:16:24.843

Modified: 2026-06-15T20:46:57.713

Link: CVE-2026-54362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T01:45:26Z

Weaknesses