CVE-2026-56447 - Vulnerability Details

Description

MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file.

The issue is fixed by restricting the setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets.

Published: 2026-06-22

Score: 9.3 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated MISP site administrator can set the Kafka_rdkafka_config to an arbitrary filesystem path. MISP then parses the referenced INI file and passes its options to the rdkafka library. A crafted configuration file can exploit rdkafka settings such as plugin.library.paths to load an external library, enabling arbitrary code execution with the privileges of the running MISP process. An attacker can place the malicious configuration file in any MISP-writable location like an uploaded file or administrative image.

Affected Systems

The affected product is MISP (misp:misp). No specific version range is listed, but the vulnerability applies to installations that allow an authenticated administrator to modify the Kafka_rdkafka_config setting. All affected instances are those before the fix that removes the restriction on the setting path.

Risk and Exploitability

CVSS score 9.3 indicates critical severity. EPSS is not available, so the exact exploitation probability is uncertain but the flaw's nature suggests a high potential for use. The vulnerability is not listed in CISA KEV. Exploitation requires authenticated administrative access and the ability to place a file in a writable MISP location; once executed, the attacker could run arbitrary code at the MISP process level. The attack vector is via the administrative configuration interface, making it a targeted internal threat.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

misp

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.5.41

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the MISP update that restricts Kafka_rdkafka_config to absolute .ini files located only in approved directories outside the webroot and upload targets.
Verify that any existing Kafka_rdkafka_config file has been moved or deleted from writable locations such as uploads or administrative image directories, and update the path to a safe, approved file.
If an immediate patch is unavailable, disable or remove editing permissions for Kafka_rdkafka_config in the MISP interface and ensure the setting points to a non-exploitable configuration file.

Generated by OpenCVE AI on June 22, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0

History

Mon, 22 Jun 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file. The issue is fixed by restricting the setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets.
Title		MISP remote code execution via arbitrary rdkafka configuration path
Weaknesses		CWE-829
References		https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: CIRCL

Published: 2026-06-22T12:39:31.309Z

Updated: 2026-06-22T12:39:31.309Z

Reserved: 2026-06-22T12:39:24.204Z

Link: CVE-2026-56447

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T14:45:05Z

Weaknesses

CWE-829
Inclusion of Functionality from Untrusted Control Sphere

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object