Description
An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An information disclosure vulnerability exists in the AuthKey edit feature of the MISP platform. When an AuthKey update fails validation, the dropdown of available users is populated using the user_id field from the request payload, which an attacker can control. This flaw allows an authenticated user who has permission to edit AuthKey entries to submit arbitrary user IDs and see the resulting dropdown data, directly revealing the email addresses of all users.

Affected Systems

Affect any deployment of the MISP platform (misp:misp) that uses the AuthKey edit endpoint. No specific affected versions are listed, so installations in all released versions are potentially vulnerable until the fix is applied.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with permission to edit AuthKey entries, limiting the attacker’s ability to enumerate users. Nevertheless, the revealed email addresses may facilitate further social engineering or targeted attacks.

Generated by OpenCVE AI on June 12, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the MISP update that changes the AuthKey edit dropdown logic to use the persisted AuthKey owner instead of the request body, as detailed in commit 42737f4e88df801486334690913dd344e447fac3.
  • Limit AuthKey edit permissions to a trusted set of administrators, removing write access for normal users to reduce the opportunity for enumeration.
  • Disable or sanitize error responses during AuthKey edits so that user IDs and email addresses are not disclosed in validation error messages or logs.

Generated by OpenCVE AI on June 12, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.
Title MISP AuthKey edit endpoint allows authenticated user email enumeration
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-12T20:48:18.723Z

Reserved: 2026-06-12T20:46:44.530Z

Link: CVE-2026-54396

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:25.423

Modified: 2026-06-12T21:16:25.423

Link: CVE-2026-54396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T00:30:09Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor