CVE-2026-56422

CRITICAL EPSS 28.1%
Published Jun 22, 20261w ago · Modified Jun 22, 20261w ago
9.4 CVSS 4.0
Critical
Find Similar
Published Jun 22, 2026 1w ago
Last Modified Jun 22, 2026 1w ago

Description

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object. In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context. The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned.

CVSS Details

Base Score
9.4
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
28.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-639

References 16

  • github.com https://github.com/MISP/MISP/commit/00b2e3dae56fa24ea750eb525cc4709b7e5bee85
  • github.com https://github.com/MISP/MISP/commit/025f711506850aadb69cde1b57e5e5d57628c87f
  • github.com https://github.com/MISP/MISP/commit/05aad418c57bb78e6b58a843d70d45de8f50db45
  • github.com https://github.com/MISP/MISP/commit/2cc26f38f3e85c594957899f09043d5193146607
  • github.com https://github.com/MISP/MISP/commit/3ff6bd9cfdab5d41b4667ea7298d88ffd6f3fcb8
  • github.com https://github.com/MISP/MISP/commit/57433015815e59db5a1f11536f90920952cf3fcd
  • github.com https://github.com/MISP/MISP/commit/58f637aaab4d133e72f1454ebb963191d96d3b78
  • github.com https://github.com/MISP/MISP/commit/634f1f87c295193486c08c2c7ba1fee8a7339baa
  • github.com https://github.com/MISP/MISP/commit/63aebc27a878233b9475c742985aaef909bc755b
  • github.com https://github.com/MISP/MISP/commit/7acf8220cafac58bcfb362da37aca512fe4bb396
  • github.com https://github.com/MISP/MISP/commit/8311427c2edd72a8341f0a65e1f11073d7ad9191
  • github.com https://github.com/MISP/MISP/commit/84bafe69f5d0ab7f811371c0801a613f271ebc0b
  • github.com https://github.com/MISP/MISP/commit/9341690e9b6dde7f0605edea5533e05ba7362e35
  • github.com https://github.com/MISP/MISP/commit/ab9619dfa6cb5210fd20fb3b0b57006e4fc93916
  • github.com https://github.com/MISP/MISP/commit/bc182d55dde5686a36ca2eb88fe6c2adabb9fad9
  • github.com https://github.com/MISP/MISP/commit/c80a3533b3d787f45f5185a4621cc0f05b0cf2e5

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.