Description
MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended APP/files/img/orgs/ directory. An attacker able to influence an organisation field, for example the organisation name, could use path traversal sequences to cause MISP to return arbitrary readable .png or .svg files from outside the organisation logo directory. The issue is fixed by resolving candidate paths with realpath() and verifying that they remain under the expected base directory before serving the file.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a path traversal issue located in the OrganisationsController::getOrgLogo method of MISP. Attackers who can influence organization fields such as the name can manipulate the constructed logo path to reference files outside the intended images directory. The flaw permits retrieval of arbitrary .png or .svg files that reside beyond the orgs folder, effectively leaking sensitive assets. The weakness is a classic CWE‑22: Path Traversal. In the worst case, an attacker could expose configuration files or other private data if such files are accessible via the web process, leading to users’ confidentiality compromise.

Affected Systems

The flaw targets the MISP platform (misp:misp). Any installation that has not applied the fix carried out in commit b865deb036ca82dab272be260798f562034ba9ae is vulnerable. The patch adds realpath validation to ensure resolved paths stay within APP/files/img/orgs. Administrators should verify whether their current MISP deployment runs a version older than this commit and, if so, upgrade accordingly.

Risk and Exploitability

The CVSS v3 score of 5.3 classifies the issue as medium severity, reflecting that exploitation requires the ability to modify organization attributes. No EPSS score is published, and the vulnerability is not yet listed in CISA KEV. If attackers can inject malicious organization names or payloads, they may read arbitrary PNG or SVG files. The exploit chain is straightforward: influence an organization field, trigger the logo endpoint, and receive the requested file. Mitigation rests mainly on applying the upstream patch and limiting who can alter organization details.

Generated by OpenCVE AI on June 12, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MISP to the version that includes the commit b865deb036ca82dab272be260798f562034ba9ae which introduces realpath path validation for logo retrieval.
  • Restrict editing of organization names and other logo‑related fields to privileged administrators, preventing untrusted users from injecting path traversal characters.
  • As an interim measure, configure the web server or WAF to block or detect requests to OrganisationsController::getOrgLogo that contain '..' or slash traversal patterns, and redirect them to a safe response until the patch is applied.

Generated by OpenCVE AI on June 12, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended APP/files/img/orgs/ directory. An attacker able to influence an organisation field, for example the organisation name, could use path traversal sequences to cause MISP to return arbitrary readable .png or .svg files from outside the organisation logo directory. The issue is fixed by resolving candidate paths with realpath() and verifying that they remain under the expected base directory before serving the file.
Title MISP organisation logo path traversal allows retrieval of arbitrary PNG/SVG files
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-12T20:30:25.887Z

Reserved: 2026-06-12T20:30:17.302Z

Link: CVE-2026-54394

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:25.157

Modified: 2026-06-12T21:16:25.157

Link: CVE-2026-54394

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T23:15:10Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')