Description
An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An information disclosure vulnerability exists in the AuthKey edit feature of the MISP platform. When an AuthKey update fails validation, the dropdown of available users is populated using the user_id field from the request payload, which an attacker can control. This flaw allows an authenticated user who has permission to edit AuthKey entries to submit arbitrary user IDs and see the resulting dropdown data, directly revealing the email addresses of all users.

Affected Systems

Affect any deployment of the MISP platform (misp:misp) that uses the AuthKey edit endpoint. No specific affected versions are listed, so installations in all released versions are potentially vulnerable until the fix is applied.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with permission to edit AuthKey entries, limiting the attacker’s ability to enumerate users. Nevertheless, the revealed email addresses may facilitate further social engineering or targeted attacks.

Generated by OpenCVE AI on June 12, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the MISP update that changes the AuthKey edit dropdown logic to use the persisted AuthKey owner instead of the request body, as detailed in commit 42737f4e88df801486334690913dd344e447fac3.
  • Limit AuthKey edit permissions to a trusted set of administrators, removing write access for normal users to reduce the opportunity for enumeration.
  • Disable or sanitize error responses during AuthKey edits so that user IDs and email addresses are not disclosed in validation error messages or logs.

Generated by OpenCVE AI on June 12, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.
Title MISP AuthKey edit endpoint allows authenticated user email enumeration
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-15T17:55:07.530Z

Reserved: 2026-06-12T20:46:44.530Z

Link: CVE-2026-54396

cve-icon Vulnrichment

Updated: 2026-06-15T17:55:03.872Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T21:16:25.423

Modified: 2026-06-15T20:46:57.713

Link: CVE-2026-54396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T00:30:09Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor