OIDC Authentication Plugin Vulnerability in MISP by The MISP Project
CVE-2026-9084

6MEDIUM

Key Information:

Vendor: Misp
Status: Misp
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-9084?

The OIDC authentication plugin for MISP has a critical flaw that permits the automatic linking of an OIDC identity to a local user account when no sub value is recorded. This vulnerability arises under potentially insecure or untrusted identity provider (IdP) configurations, where email ownership validation is absent. An attacker holding a legitimate OIDC token could exploit this weakness to impersonate a victim by asserting their email address, leading to unauthorized account access and compromising user security.

Affected Version(s)

misp 2.5.0 <= 2.5.37

References

https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd...

patch

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 20, 2026

Credit

Ali Ganiyev

Luciano Righetti

CVE-2026-9084 Data

JSON

Misp

What is CVE-2026-9084?

Affected Version(s)

References

CVSS V4

Timeline

Credit