A flaw in MISP's non‑REST event editing path lets an authenticated user with edit rights submit form data that sets an event’s sharing_group_id to a group the user is not authorized to use. The application fails to verify this authority when the distribution is set to sharing group distribution, creating an opportunity to move an event into an undisclosed or restricted sharing group. This can expose the sharing group name in event listings, allow unintended use of restricted groups, and modify distribution metadata in ways the user should not control, potentially revealing sensitive information or bypassing access controls.

The vulnerability affects the MISP open‑source threat intelligence platform. No specific affected versions are provided in the advisory, so all versions prior to the patch that includes commit 609ff6c785d7dae41d22ef43dda9347d34cd2a58 are potentially vulnerable. The product is identified by the CNA as misp:misp.

The CVSS score is 6.1, indicating a moderate impact. No EPSS value is supplied, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated user with event edit permissions; the attacker must log into MISP and modify the event edit request. Because the flaw is limited to authenticated users, it does not allow unlimited remote exploitation. However, if an attacker gains legitimate edit privileges—such as via phishing or other credential compromise—she / it could misuse restricted sharing groups and leak confidential distribution details. The absence of known public exploits suggests the risk is mainly theoretical unless attackers acquire the necessary credentials.