CVE-2026-56446 - Vulnerability Details

Description

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process.

The fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments.

Published: 2026-06-22

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

MISP allowed site administrators to set an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because the log entries can contain attacker‑controlled data, an authenticated administrator could configure the log destination to point to a PHP file inside a web‑accessible directory and inject PHP code through the logged content. When the generated file is accessed via a web browser, the PHP code is executed with the privileges of the web server process, resulting in remote code execution.

Affected Systems

The vulnerability affects the MISP platform and its various deployments. No specific affected versions are listed in the advisory, so any installation that has not applied the patch restricting log destinations to APP/tmp/logs or /var/log with only .log or .ndjson filenames is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The attack vector requires an attacker to possess site‑administrator authentication; once that privilege is available, the exploitation is straightforward because the path can be manipulated to create an executable PHP file. The fix requires changing the log configuration to accept only legitimate directories and file names, preventing the injection of executable code.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

misp

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.5.41

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update MISP to a version that restricts NDJSON error log paths to APP/tmp/logs or /var/log and limits file extensions to .log or .ndjson.
Delete or disable any PHP files that may have been created by the vulnerable logging mechanism in web‑accessible directories.
Reconfigure MISP logging settings to enforce only absolute paths under APP/tmp/logs or /var/log and reject stream wrappers, traversal sequences, and executable extension segments.

Generated by OpenCVE AI on June 22, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0

History

Mon, 22 Jun 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process. The fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments.
Title		Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path in MISP
Weaknesses		CWE-94
References		https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: CIRCL

Published: 2026-06-22T12:31:40.362Z

Updated: 2026-06-22T12:31:40.362Z

Reserved: 2026-06-22T12:31:33.455Z

Link: CVE-2026-56446

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T14:45:05Z

Weaknesses

CWE-94
Improper Control of Generation of Code ('Code Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object