Description
An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.

An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MISP’s object editing process improperly validates the sharing_group_id when combining object fields into the top layer, allowing a user with edit rights to attach an object or its attributes to any sharing group, regardless of their permissions. The flaw also bypasses per-attribute validation for embedded attributes, enabling further unauthorized distribution. An attacker can craft requests that set a distribution level of 4 with a chosen sharing_group_id, thereby revealing information about hidden sharing groups and altering the intended distribution metadata of objects.

Affected Systems

The vulnerability impacts the MISP platform from the vendor misp. No specific version ranges are detailed in the data, so any deployment using the affected object handling code may be affected until patched.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is unavailable, so the current likelihood of exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. Because the flaw exists in the request handling path for authenticated users with edit permissions, the most likely attack vector is a remote authenticated request to the object edit endpoint. This inference is drawn from the description stating the issue arises during object editing.

Generated by OpenCVE AI on June 12, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest released version of MISP that includes the fixed validation logic for sharing_group_id assignment
  • Revoke or limit object editing permissions for users who do not require full distribution control, ensuring only trusted users can modify sharing groups
  • Audit existing sharing groups and distribution settings to detect any unauthorized assignments or visibility leakages, and apply corrective controls as needed
  • Monitor MISP edit logs for anomalous sharing_group_id values or distribution changes that may indicate exploitation

Generated by OpenCVE AI on June 12, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use. An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.
Title MISP object edit authorization bypass allows unauthorized sharing group assignment
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-15T17:26:09.454Z

Reserved: 2026-06-12T21:08:11.128Z

Link: CVE-2026-54398

cve-icon Vulnrichment

Updated: 2026-06-15T17:26:03.599Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T22:16:56.370

Modified: 2026-06-15T20:46:57.713

Link: CVE-2026-54398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T23:00:08Z

Weaknesses