Mass Assignment Vulnerability in MISP's Sharing Group Creation
CVE-2026-54360

8.4HIGH

Key Information:

Vendor

Misp

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-54360?

A mass assignment vulnerability in MISP allows authenticated users with permissions to create sharing groups to pass an unauthorized identifier, enabling them to modify existing groups without appropriate access controls. This flaw arises from the app/Controller/SharingGroupsController.php file, where the system fails to strip the user-provided id before processing the request. Consequently, an attacker could exploit this vulnerability to gain control over sharing groups, threatening the confidentiality and integrity of the shared data. Prompt updates are recommended to mitigate risks.

Affected Version(s)

misp 0 < 2.5.40

References

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jeroen Pinoy
Andras Iklody
.