Insecure configuration in MISP by Risk Based Security, allowing unauthorized cross-site request forgery
CVE-2026-54359
What is CVE-2026-54359?
MISP contains an insecure default configuration that disables the Security.check_sec_fetch_site_header control. This vulnerability permits state-changing requests, like POST, PUT, or AJAX requests, without restrictions based on the browser-included Sec-Fetch-Site header. An unauthenticated attacker can exploit this flaw by crafting a malicious web page, tricking an authenticated MISP user’s browser into issuing cross-site requests to MISP automation endpoints. If executed successfully, these forged requests may be processed with the victim’s user privileges, granting the attacker unauthorized access to modify MISP data or configurations. To mitigate this issue, operators of MISP should enable the Security.check_sec_fetch_site_header setting; however, for multi-homed deployments, validation of this setting is essential before enforcement.
Affected Version(s)
misp 0 < 2.5.40
