Vulnerability in ShadowAttribute Proposal Workflow Affects MISP Product by MISP
CVE-2026-9136

8.3HIGH

Key Information:

Vendor: Misp
Status: Misp
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-9136?

A vulnerability within the ShadowAttribute proposal creation workflow in MISP allows authenticated users to exploit user-controlled request data. The flaw occurs when the 'add action' does not strip the id field from incoming data, leading to unauthorized updates of existing ShadowAttributes instead of creating new proposals. This mismanagement of a client-supplied primary key could let an authenticated user alter events they should not have access to, impacting the integrity of the data. The issue arises from misplaced trust in client inputs and is addressed in the patch for MISP version 2.5.38.

Affected Version(s)

misp 2.5.0 <= 2.5.37

References

https://github.com/MISP/MISP/commit/49911b1d4b6e4517d803e...

patch

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 20, 2026

Credit

Seth Kraft

CVE-2026-9136 Data

JSON

Misp

What is CVE-2026-9136?

Affected Version(s)

References

CVSS V4

Timeline

Credit