Insecure Access Control in MISP Event Template Builder Exposes Data
CVE-2026-54362
5.3MEDIUM
What is CVE-2026-54362?
The MISP event template builder contains an incorrect visibility condition that allows authenticated non-site-admin users to view galaxies that they shouldn't have access to. This vulnerability arises from a flawed PHP comparison expression used for access control, instead of a proper query condition. As a result, galaxies, including custom ones created for specific organizations, can inadvertently be displayed to unauthorized users. This exposes sensitive metadata about these private galaxy definitions, potentially jeopardizing the confidentiality of data shared between organizations.
Affected Version(s)
misp 0 < 2.5.40
