Information Disclosure Vulnerability in MISP by MISP Project
CVE-2026-54396
5.3MEDIUM
What is CVE-2026-54396?
An information disclosure issue exists in the MISP platform's AuthKey editing functionality. This vulnerability allows authenticated users with permission to edit AuthKeys to exploit validation errors. When an error occurs, the dropdown menu is populated with user IDs derived from an attacker-controlled value in the request, enabling malicious users to enumerate other users' email addresses. This issue has been addressed by ensuring the dropdown user is derived from the owner of the AuthKey instead of the request data.
Affected Version(s)
misp 0 < 2.5.40
