Description
An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.

An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MISP’s object editing process improperly validates the sharing_group_id when combining object fields into the top layer, allowing a user with edit rights to attach an object or its attributes to any sharing group, regardless of their permissions. The flaw also bypasses per-attribute validation for embedded attributes, enabling further unauthorized distribution. An attacker can craft requests that set a distribution level of 4 with a chosen sharing_group_id, thereby revealing information about hidden sharing groups and altering the intended distribution metadata of objects.

Affected Systems

The vulnerability impacts the MISP platform from the vendor misp. No specific version ranges are detailed in the data, so any deployment using the affected object handling code may be affected until patched.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is unavailable, so the current likelihood of exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. Because the flaw exists in the request handling path for authenticated users with edit permissions, the most likely attack vector is a remote authenticated request to the object edit endpoint. This inference is drawn from the description stating the issue arises during object editing.

Generated by OpenCVE AI on June 12, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest released version of MISP that includes the fixed validation logic for sharing_group_id assignment
  • Revoke or limit object editing permissions for users who do not require full distribution control, ensuring only trusted users can modify sharing groups
  • Audit existing sharing groups and distribution settings to detect any unauthorized assignments or visibility leakages, and apply corrective controls as needed
  • Monitor MISP edit logs for anomalous sharing_group_id values or distribution changes that may indicate exploitation

Generated by OpenCVE AI on June 12, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use. An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.
Title MISP object edit authorization bypass allows unauthorized sharing group assignment
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-12T21:08:15.574Z

Reserved: 2026-06-12T21:08:11.128Z

Link: CVE-2026-54398

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T22:16:56.370

Modified: 2026-06-12T22:16:56.370

Link: CVE-2026-54398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:30:08Z

Weaknesses