Information Disclosure Vulnerability in MISP by MISP Project
CVE-2026-54396

5.3MEDIUM

Key Information:

Vendor

Misp

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-54396?

An information disclosure issue exists in the MISP platform's AuthKey editing functionality. This vulnerability allows authenticated users with permission to edit AuthKeys to exploit validation errors. When an error occurs, the dropdown menu is populated with user IDs derived from an attacker-controlled value in the request, enabling malicious users to enumerate other users' email addresses. This issue has been addressed by ensuring the dropdown user is derived from the owner of the AuthKey instead of the request data.

Affected Version(s)

misp 0 < 2.5.40

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jeroen Pinoy
Andras Iklody
.