Insecure Access Control in MISP Event Template Builder Exposes Data
CVE-2026-54362

5.3MEDIUM

Key Information:

Vendor

Misp

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-54362?

The MISP event template builder contains an incorrect visibility condition that allows authenticated non-site-admin users to view galaxies that they shouldn't have access to. This vulnerability arises from a flawed PHP comparison expression used for access control, instead of a proper query condition. As a result, galaxies, including custom ones created for specific organizations, can inadvertently be displayed to unauthorized users. This exposes sensitive metadata about these private galaxy definitions, potentially jeopardizing the confidentiality of data shared between organizations.

Affected Version(s)

misp 0 < 2.5.40

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jeroen Pinoy
Andras Iklody
.