MISP organization administrators can target site administrator accounts for password reset
CVE-2026-54358

7.5HIGH

Key Information:

Vendor: Misp
Status: Misp
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-54358?

An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own organization, but did not exclude accounts assigned a site administrator role from recipient queries. As a result, an organization administrator could perform privileged account-management actions, such as initiating a password reset workflow, against a higher-privileged site administrator account in the same organization.

Successful exploitation may allow an authenticated organization administrator to interfere with or potentially take over a site administrator account, resulting in privilege escalation and full compromise of the MISP instance’s confidentiality, integrity, and availability.

Attack prerequisites: The attacker must be authenticated as an organization administrator in the same organization as a site administrator account.

Affected Version(s)

misp 0 < 2.5.40

References

https://github.com/MISP/MISP/commit/146795489abef478c8f59...

patch

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

HE WEI

Andras Iklody

CVE-2026-54358 Data

JSON

Misp

What is CVE-2026-54358?

Affected Version(s)

References

CVSS V4

Timeline

Credit