Description
The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.
Published: 2026-05-20
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. This mis‑limit means that anyone who can reach the endpoint can use large reports to generate excessive log volume, rapidly exhausting storage and degrading log processing. The result is a denial of service caused by uncontrolled log growth.

Affected Systems

The vulnerability affects the MISP platform. No specific affected versions are listed, so any deployment that has the CSP report endpoint exposed to untrusted clients is potentially vulnerable. The required information for an exact version is not provided in the data.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk level, and the EPSS score of <1% indicates a very low but not zero exploitation probability. The entry is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves unauthenticated HTTP requests directed at the publicly or internally accessible CSP report endpoint. By submitting large CSP reports it yields uncontrolled resource consumption, inflating log size and potentially exhausting disk space or slowing system operations.

Generated by OpenCVE AI on May 29, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from the CNA commit (https://github.com/MISP/MISP/commit/02932cccab230b295afcaf5aa05e363d30db0ec9) that enforces the correct 1‑KB limit for CSP reports.
  • Restrict access to the CSP report endpoint to trusted networks or authenticated users to prevent untrusted clients from sending large reports.
  • Monitor log sizes and set alerts for sudden growth that may indicate log flooding.
  • Implement input size validation in the CSP report handling logic to reject reports exceeding 1 KB, addressing the CWE‑400 resource‑exhaustion weakness.

Generated by OpenCVE AI on May 29, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 29 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding. The CSP report endpoint in MISP intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.
Title CSP Report Endpoint Log Flooding via Incorrect Size Limit CSP Report Endpoint Log Flooding in MISP via Incorrect Size Limit

Wed, 20 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.
Title CSP Report Endpoint Log Flooding via Incorrect Size Limit
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-05-29T06:57:50.739Z

Reserved: 2026-05-20T18:42:18.665Z

Link: CVE-2026-9137

cve-icon Vulnrichment

Updated: 2026-05-20T19:26:42.606Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T20:16:46.177

Modified: 2026-06-02T16:34:32.473

Link: CVE-2026-9137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T08:30:26Z

Weaknesses