CVE-2026-54357

MEDIUM EPSS 16.7%

Published Jun 12, 20262w ago · Modified Jun 17, 20261w ago

5.1 CVSS 4.0

Medium

Published Jun 12, 2026 2w ago

Last Modified Jun 17, 2026 1w ago

Description

An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership but did not exclude higher-privileged site administrator users. As a result, an organization administrator could potentially view or alter site administrator user settings and related login profile information, crossing the intended privilege boundary between organization administration and site-wide administration. The patch hardens the ACL logic by excluding site administrator accounts from organization administrator–managed user sets, adding explicit authorization failure when a target user is not administrable, and ensuring user setting and login profile operations fail closed.

CVSS Details

Base Score

5.1

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required High

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

16.7% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-639

CWE-863 Incorrect Authorization Authorization

References 1

github.com https://github.com/MISP/MISP/commit/ed3d9b862dea4c8c8e9b620a5ad99ce0c2c82154

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.