MISP object edit authorization bypass allows unauthorized sharing group assignment
CVE-2026-54398

5.3MEDIUM

Key Information:

Vendor: Misp
Status: Misp
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-54398?

An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.

An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.

Affected Version(s)

misp 0 < 2.5.40

References

https://github.com/MISP/MISP/commit/4fe48c523e66999d65f99...

patch

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 12, 2026

Credit

Andras Iklody

Jeroen Pinoy

CVE-2026-54398 Data

JSON

Misp

What is CVE-2026-54398?

Affected Version(s)

References

CVSS V4

Timeline

Credit