Description
The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.
Published: 2026-05-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CSP report endpoint in MISP was intended to accept and log only 1‑KB CSP reports but incorrectly allowed up to 1‑MB reports before truncation. This mis‑limit means that anyone who can reach the endpoint can use large reports to generate excessive log volume, rapidly exhausting storage and degrading log processing. The result is a denial of service caused by uncontrolled log growth.

Affected Systems

The vulnerability affects the MISP platform. No specific affected versions are listed, so any deployment that has the CSP report endpoint exposed to untrusted clients is potentially vulnerable. The required information for an exact version is not provided in the data.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk level, but the lack of an EPSS score means the exploitation likelihood is unknown. The entry is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves unauthenticated HTTP requests directed at the publicly or internally accessible CSP report endpoint. By submitting large CSP reports it yields uncontrolled resource consumption, inflating log size and potentially exhausting disk space or slowing system operations.

Generated by OpenCVE AI on May 20, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from the CNA commit (https://github.com/MISP/MISP/commit/02932cccab230b295afcaf5aa05e363d30db0ec9) that enforces the correct 1‑KB limit for CSP reports.
  • Restrict access to the CSP report endpoint to trusted networks or authenticated users to prevent untrusted clients from sending large reports.
  • Monitor log sizes and set alerts for sudden growth that may indicate log flooding.
  • Implement input size validation in the CSP report handling logic to reject reports exceeding 1 KB, addressing the CWE‑400 resource‑exhaustion weakness.

Generated by OpenCVE AI on May 20, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Wed, 20 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.
Title CSP Report Endpoint Log Flooding via Incorrect Size Limit
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-05-20T19:26:46.826Z

Reserved: 2026-05-20T18:42:18.665Z

Link: CVE-2026-9137

cve-icon Vulnrichment

Updated: 2026-05-20T19:26:42.606Z

cve-icon NVD

Status : Received

Published: 2026-05-20T20:16:46.177

Modified: 2026-05-20T20:16:46.177

Link: CVE-2026-9137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:45:40Z

Weaknesses