Authorization Flaw in MISP's Object Management by MISP
CVE-2026-54398
5.3MEDIUM
What is CVE-2026-54398?
An authorization flaw in MISP's object add/edit handling permits authenticated users with editing permissions to assign MISP objects, or their attributes, to unauthorized sharing groups. This flaw arises from improper validation of sharing group permissions during object edits, allowing attackers to potentially expose non-visible sharing group details and manipulate metadata. The vulnerability occurs because the sharing group validation is executed against incorrect request data following the merging of object fields. Additionally, attributes within objects lack individual validation for appropriate sharing group use, heightening the risk of unauthorized access.
Affected Version(s)
misp 0 < 2.5.40
