Description
MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object.

For Event Reports, EventReportsController::deleteSelection relied on the global perm_add capability rather than a per-report ownership/authorization check. As a result, a contributor-level user could submit report IDs or UUIDs for reports belonging to other organisations and hard-delete them instance-wide. The fix changed the callback to call EventReport::fetchIfAuthorized($user, $itemId, 'delete') for each selected report before deletion.




For Sharing Groups, SharingGroupsController::deleteSelection relied on the global perm_sharing_group capability rather than verifying ownership of each selected sharing group. This allowed a sharing-group-capable user to hard-delete sharing groups owned by other organisations, bypassing the per-object ownership gate used by the single-object delete action. The fix changed the callback to call SharingGroup::checkIfOwner($user, $itemId) for each selected sharing group.




An authenticated attacker with the relevant broad role permission could abuse the affected bulk deletion endpoints to delete objects outside their organisation’s authorization scope, causing loss of event-report content or sharing-group configuration across the instance.
Published: 2026-06-22
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Broken access control in the bulk deletion endpoints of MISP Core allows authenticated users with broad role permissions to delete event reports and sharing groups across the entire instance regardless of ownership. The flaw stems from relying on global capability checks instead of per‑object authorization, enabling a contributor‑level or sharing‑group‑capable user to hard‑delete reports or groups belonging to other organisations. This results in loss of event‑report data and the removal of sharing‑group configurations, compromising data integrity and availability.

Affected Systems

Vendors: MISP. Product: MISP Core. No specific version information is provided, but the flaw applies to any instance using the affected bulk deletion flows before the patch referenced in the commit history.

Risk and Exploitability

With a CVSS score of 9.4 the vulnerability is classified as critical. An authenticated attacker who possesses the broad role permissions required by the broken checks can trigger the bulk deletion endpoints and erase managed objects belonging to other organisations. The EPSS score is not available, and the vulnerability is not yet listed in CISA KEV. The attack vector is inferred to be an authenticated user exploitation of the bulk delete functionality to delete objects beyond their authority, leading to data loss and potential disruption of organisational collaboration.

Generated by OpenCVE AI on June 22, 2026 at 14:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MISP Core to a version that includes the patch from commits ada02fa6d and f99b3f16, or manually apply the fix changes to the deleteSelection handlers.
  • Audit and reduce users’ role permissions, removing the broad perm_add and perm_sharing_group capabilities from contributors and sharing‑group‑capable roles unless absolutely necessary.
  • If an immediate update is not feasible, disable or restrict access to the bulk deletion endpoints for event reports and sharing groups, or enforce per‑object authorization checks manually until the official patch is applied.

Generated by OpenCVE AI on June 22, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For Event Reports, EventReportsController::deleteSelection relied on the global perm_add capability rather than a per-report ownership/authorization check. As a result, a contributor-level user could submit report IDs or UUIDs for reports belonging to other organisations and hard-delete them instance-wide. The fix changed the callback to call EventReport::fetchIfAuthorized($user, $itemId, 'delete') for each selected report before deletion. For Sharing Groups, SharingGroupsController::deleteSelection relied on the global perm_sharing_group capability rather than verifying ownership of each selected sharing group. This allowed a sharing-group-capable user to hard-delete sharing groups owned by other organisations, bypassing the per-object ownership gate used by the single-object delete action. The fix changed the callback to call SharingGroup::checkIfOwner($user, $itemId) for each selected sharing group. An authenticated attacker with the relevant broad role permission could abuse the affected bulk deletion endpoints to delete objects outside their organisation’s authorization scope, causing loss of event-report content or sharing-group configuration across the instance.
Title MISP Core: Broken access control allows instance-wide unauthorized deletion of event reports and sharing groups via bulk deletion endpoints
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-22T11:56:26.235Z

Reserved: 2026-06-22T11:56:07.846Z

Link: CVE-2026-56423

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T14:45:05Z

Weaknesses