Authorization Flaw in MISP by GitHub
CVE-2026-54358

7.5HIGH

Key Information:

Vendor

Misp

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-54358?

An authorization flaw in MISP enables an organization administrator to inadvertently access privileged site administrator accounts through the misuse of the administrative email functionality. While the design intended to restrict organization administrators to user interactions within their own organization, it overlooked site administrator roles during recipient queries. Consequently, this oversight allows an authenticated organization administrator to initiate sensitive account management tasks, such as resetting passwords, on higher-privileged accounts, which could lead to unauthorized actions and compromise the integrity and confidentiality of the MISP instance. To exploit this vulnerability, attackers must be authenticated as organization administrators within the same organization as the targeted site administrator.

Affected Version(s)

misp 0 < 2.5.40

References

CVSS V4

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

HE WEI
Andras Iklody
.