Description
MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.
Published: 2026-05-20
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The OIDC authentication plugin for MISP automatically linked an OIDC identity to a local user account when the local account had no stored sub value and the email claim matched. On IdP configurations that do not enforce legitimate ownership of the email address, an attacker who can acquire a valid OIDC token can simply assert the victim’s email and be authenticated as that user. The effect is a full account takeover, granting the attacker read, write, and administrative capabilities on the MISP instance belonging to the victim. The weakness corresponds to CWE-287, Authentication Failure.

Affected Systems

The vulnerability applies to the MISP project, specifically to any release that includes the OIDC authentication plugin without additional safeguards for email verification or sub claim checks. No specific version range is listed, so any version employing this plugin can be affected if configured with an insecure IdP.

Risk and Exploitability

The CVSS score of 6 indicates moderate severity. The EPSS score is unavailable, so the likelihood of exploitation in the wild cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. The attack can be executed only if the attacker has a valid OIDC token for an IdP that does not prove email ownership, making the exploitation context dependent on IdP configuration and token issuance.

Generated by OpenCVE AI on May 20, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MISP release that patches the automatic email linking flaw or applies a vendor‑provided patch.
  • Configure the IdP used for OIDC to enforce email ownership verification and to restrict the ability for arbitrary emails to be used in tokens.
  • Disable the automatic linking feature in MISP, or modify the plugin so that it only links an OIDC identity to a local account when a sub claim is present and the email address is verified by the IdP.

Generated by OpenCVE AI on May 20, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.
Title MISP OIDC authentication bypass via automatic email-based account linking under insecure IdP configurations
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-05-20T15:28:55.640Z

Reserved: 2026-05-20T14:21:56.589Z

Link: CVE-2026-9084

cve-icon Vulnrichment

Updated: 2026-05-20T15:28:52.979Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T16:16:28.107

Modified: 2026-05-20T17:31:45.303

Link: CVE-2026-9084

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T16:30:14Z

Weaknesses