CVE-2026-56422 - Vulnerability Details

Description

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.

In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context.

The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned.

Published: 2026-06-22

Score: 9.4 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an authenticated user to supply request fields that include primary keys and ownership identifiers, which the MISP core fails to validate or re-pin before persisting data. In the affected controllers, the raw values supplied by the client can be applied to existing database records, resulting in creation of new objects, overwriting existing ones, re-parenting events, transferring ownership, or inserting attacker‑controlled content into another user’s context. These impacts threaten confidentiality, integrity, and availability of data across the platform and can be used for malicious data injection or unauthorized sharing.

Affected Systems

The affected product is MISP Core, specifically various controllers and models that process REST or form submissions. All instances using MISP versions before the patch commits identified in the reference list are vulnerable; no explicit version range is listed, but any deployment prior to the latest changes must be considered at risk.

Risk and Exploitability

The CVSS score of 9.4 indicates critical severity. EPSS is not available, so no exploitation likelihood can be quantified. The vulnerability is not listed in CISA KEV, but the lack of automatic ID validation means an attacker with valid credentials could exploit it easily. The likely attack vector is an authenticated HTTP request to a vulnerable endpoint where the attacker crafts payloads containing unintended primary and ownership keys; the system then persists the data against the targeted object, bypassing its authorization checks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

misp

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.5.41

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest MISP core patches that strip client‑supplied primary keys on create, re‑pin server‑authorized identifiers before save, and enforce field whitelists for ownership attributes.
Verify that all create, edit, and import routes are now rejecting or ignoring any primary key or ownership field present in the request payload.
If a patch cannot be applied immediately, restrict unauthenticated or administrative access to the affected endpoints using firewall rules and monitor for unauthorized object changes in logs.

Generated by OpenCVE AI on June 22, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/MISP/MISP/commit/00b2e3dae56fa24ea750eb525cc4709b7e5bee85
https://github.com/MISP/MISP/commit/025f711506850aadb69cde1b57e5e5d57628c87f
https://github.com/MISP/MISP/commit/05aad418c57bb78e6b58a843d70d45de8f50db45
https://github.com/MISP/MISP/commit/2cc26f38f3e85c594957899f09043d5193146607
https://github.com/MISP/MISP/commit/3ff6bd9cfdab5d41b4667ea7298d88ffd6f3fcb8
https://github.com/MISP/MISP/commit/57433015815e59db5a1f11536f90920952cf3fcd
https://github.com/MISP/MISP/commit/58f637aaab4d133e72f1454ebb963191d96d3b78
https://github.com/MISP/MISP/commit/634f1f87c295193486c08c2c7ba1fee8a7339baa
https://github.com/MISP/MISP/commit/63aebc27a878233b9475c742985aaef909bc755b
https://github.com/MISP/MISP/commit/7acf8220cafac58bcfb362da37aca512fe4bb396
https://github.com/MISP/MISP/commit/8311427c2edd72a8341f0a65e1f11073d7ad9191
https://github.com/MISP/MISP/commit/84bafe69f5d0ab7f811371c0801a613f271ebc0b
https://github.com/MISP/MISP/commit/9341690e9b6dde7f0605edea5533e05ba7362e35
https://github.com/MISP/MISP/commit/ab9619dfa6cb5210fd20fb3b0b57006e4fc93916
https://github.com/MISP/MISP/commit/bc182d55dde5686a36ca2eb88fe6c2adabb9fad9
https://github.com/MISP/MISP/commit/c80a3533b3d787f45f5185a4621cc0f05b0cf2e5

History

Mon, 22 Jun 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description		Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object. In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context. The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned.
Title		MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields
Weaknesses		CWE-639
References		https://github.com/MISP/MISP/commit/00b2e3dae56fa24ea750eb525cc4709b7e5bee85 https://github.com/MISP/MISP/commit/025f711506850aadb69cde1b57e5e5d57628c87f https://github.com/MISP/MISP/commit/05aad418c57bb78e6b58a843d70d45de8f50db45 https://github.com/MISP/MISP/commit/2cc26f38f3e85c594957899f09043d5193146607 https://github.com/MISP/MISP/commit/3ff6bd9cfdab5d41b4667ea7298d88ffd6f3fcb8 https://github.com/MISP/MISP/commit/57433015815e59db5a1f11536f90920952cf3fcd https://github.com/MISP/MISP/commit/58f637aaab4d133e72f1454ebb963191d96d3b78 https://github.com/MISP/MISP/commit/634f1f87c295193486c08c2c7ba1fee8a7339baa https://github.com/MISP/MISP/commit/63aebc27a878233b9475c742985aaef909bc755b https://github.com/MISP/MISP/commit/7acf8220cafac58bcfb362da37aca512fe4bb396 https://github.com/MISP/MISP/commit/8311427c2edd72a8341f0a65e1f11073d7ad9191 https://github.com/MISP/MISP/commit/84bafe69f5d0ab7f811371c0801a613f271ebc0b https://github.com/MISP/MISP/commit/9341690e9b6dde7f0605edea5533e05ba7362e35 https://github.com/MISP/MISP/commit/ab9619dfa6cb5210fd20fb3b0b57006e4fc93916 https://github.com/MISP/MISP/commit/bc182d55dde5686a36ca2eb88fe6c2adabb9fad9 https://github.com/MISP/MISP/commit/c80a3533b3d787f45f5185a4621cc0f05b0cf2e5
Metrics		cvssV4_0 `{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: CIRCL

Published: 2026-06-22T11:43:02.690Z

Updated: 2026-06-22T11:43:02.690Z

Reserved: 2026-06-22T11:42:55.345Z

Link: CVE-2026-56422

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T13:30:16Z

Weaknesses

CWE-639
Authorization Bypass Through User-Controlled Key

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object