Description
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a new proposal.




This can result in unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user should not be able to alter. Depending on deployment configuration and accessible API responses, the issue may also expose or move proposal data across event contexts.




The vulnerability is caused by trusting a client-supplied primary key during object creation. The fix removes the id field from incoming ShadowAttribute data before processing, ensuring that the endpoint always creates a new proposal rather than updating an existing one. This has been fixed in MISP 2.5.38.
Published: 2026-05-20
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A client‑controlled ShadowAttribute proposal creation endpoint in MISP was found to honor a supplied primary key field without removing it before persisting the record. As the underlying framework interprets an explicit id as a command to update an existing database row, an authenticated user who can submit shadow attribute proposals could supply the identifier of an existing ShadowAttribute and trigger an unintentional update of that record instead of creating a new proposal. This flaw facilitates unauthorized modification of shadow attributes, enabling the attacker to alter data tied to events they should not have permission to modify and, depending on API response exposure, potentially shift or leak proposal data across event boundaries.

Affected Systems

MISP (Malware Information Sharing Platform) versions older than 2.5.38 are vulnerable. The fix that removes the id field during payload processing was released in MISP 2.5.38, so any deployment running an earlier release is at risk.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, and the lack of an EPSS score suggests limited publicly known exploitation data at present. The vulnerability is not listed in CISA KEV. Because exploitation requires an authenticated session with permissions to create shadow attribute proposals, attackers need appropriate access credentials. Once authenticated, they can trigger the flaw by sending a crafted request containing an existing ShadowAttribute id, causing the system to overwrite selected fields. The high severity combined with the ability to modify protected data makes this a critical concern for organizations that rely on strict access controls for MISP events.

Generated by OpenCVE AI on May 20, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MISP to version 2.5.38 or later to apply the vendor patch that removes the id field before processing.
  • Restrict the API endpoint that accepts shadow attribute proposals to users with the least privileges necessary, ensuring role‑based controls prevent unauthorized users from submitting proposals.
  • Perform an audit of existing shadow attributes to detect any unintended updates that may have occurred prior to patching and restore records from backups if necessary.

Generated by OpenCVE AI on May 20, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a new proposal. This can result in unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user should not be able to alter. Depending on deployment configuration and accessible API responses, the issue may also expose or move proposal data across event contexts. The vulnerability is caused by trusting a client-supplied primary key during object creation. The fix removes the id field from incoming ShadowAttribute data before processing, ensuring that the endpoint always creates a new proposal rather than updating an existing one. This has been fixed in MISP 2.5.38.
Title Unauthorized ShadowAttribute modification in MISP via client-supplied identifier
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-05-20T19:27:31.091Z

Reserved: 2026-05-20T18:38:29.235Z

Link: CVE-2026-9136

cve-icon Vulnrichment

Updated: 2026-05-20T19:27:28.076Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:46.013

Modified: 2026-05-20T20:16:46.013

Link: CVE-2026-9136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:45:03Z

Weaknesses