MISP AuthKey edit endpoint allows authenticated user email enumeration
CVE-2026-54396

5.3MEDIUM

Key Information:

Vendor: Misp
Status: Misp
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-54396?

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.

Affected Version(s)

misp 0 < 2.5.40

References

https://github.com/MISP/MISP/commit/42737f4e88df801486334...

patch

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

Jeroen Pinoy

Andras Iklody

CVE-2026-54396 Data

JSON

Misp

What is CVE-2026-54396?

Affected Version(s)

References

CVSS V4

Timeline

Credit