Insecure configuration in MISP by Risk Based Security, allowing unauthorized cross-site request forgery
CVE-2026-54359

7.1HIGH

Key Information:

Vendor

Misp

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-54359?

MISP contains an insecure default configuration that disables the Security.check_sec_fetch_site_header control. This vulnerability permits state-changing requests, like POST, PUT, or AJAX requests, without restrictions based on the browser-included Sec-Fetch-Site header. An unauthenticated attacker can exploit this flaw by crafting a malicious web page, tricking an authenticated MISP user’s browser into issuing cross-site requests to MISP automation endpoints. If executed successfully, these forged requests may be processed with the victim’s user privileges, granting the attacker unauthorized access to modify MISP data or configurations. To mitigate this issue, operators of MISP should enable the Security.check_sec_fetch_site_header setting; however, for multi-homed deployments, validation of this setting is essential before enforcement.

Affected Version(s)

misp 0 < 2.5.40

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

José Pedro Moço
Andras Iklody
.