CVE-2026-44363 Overview
CVE-2026-44363 is a Server-Side Request Forgery (SSRF) and certificate validation vulnerability in MISP Modules, the autonomous expansion modules used to extend the Malware Information Sharing Platform (MISP). The html_to_markdown expansion module accepted arbitrary HTTP and HTTPS URLs without sufficient validation. This allowed attackers to direct requests at loopback, private, or link-local network resources. The qrcode module compounded the risk by disabling Transport Layer Security (TLS) certificate verification when retrieving remote images. The flaw is tracked under CWE-295: Improper Certificate Validation and is fixed in MISP Modules version 3.0.7.
Critical Impact
Attackers on an adjacent network can probe internal services through SSRF and intercept module traffic via man-in-the-middle attacks against unverified TLS connections.
Affected Products
- MISP Modules prior to version 3.0.7
- html_to_markdown expansion module
- qrcode expansion module
Discovery Timeline
- 2026-05-13 - CVE-2026-44363 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44363
Vulnerability Analysis
MISP Modules provides expansion services that fetch and process remote content on behalf of the MISP platform. Two modules contained unsafe network handling logic. The html_to_markdown module accepted user-supplied URLs and issued outbound HTTP(S) requests without validating the target. The qrcode module fetched remote images while explicitly disabling TLS certificate verification.
An attacker submitting a crafted URL to html_to_markdown could coerce the module into requesting internal endpoints. Valid SSRF targets include 127.0.0.1, RFC 1918 private ranges, and link-local addresses such as 169.254.169.254 used by cloud metadata services. Responses or side effects from these requests may expose internal services or trigger unintended actions.
The qrcode module's disabled TLS verification allowed an adversary positioned on the network path to present an invalid certificate and tamper with retrieved image data without detection.
Root Cause
The root cause is missing input validation on URL schemes and destination addresses, combined with an explicit override of TLS certificate verification. Neither module resolved hostnames before fetching, enforced request timeouts, nor restricted private address ranges.
Attack Vector
Exploitation requires adjacent network access and no authentication or user interaction. An attacker submits a URL referencing internal infrastructure or a network path susceptible to interception. The module then issues the request from the MISP server, returning data or side effects to the attacker.
No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-fhq3-2gf3-8f3j for additional technical detail.
Detection Methods for CVE-2026-44363
Indicators of Compromise
- Outbound HTTP(S) requests from MISP Modules processes to loopback, RFC 1918, or link-local addresses such as 169.254.169.254
- Module invocations of html_to_markdown or qrcode with URLs pointing to internal hostnames or IP literals
- TLS sessions originating from MISP Modules that lack certificate validation or terminate with self-signed certificates
Detection Strategies
- Inspect MISP Modules access logs for html_to_markdown and qrcode requests containing private or reserved address ranges
- Monitor egress proxy and firewall logs for unexpected traffic from the MISP host to internal subnets or cloud metadata endpoints
- Audit network flows for TLS connections from the MISP server that bypass certificate chain validation
Monitoring Recommendations
- Forward MISP and module logs to a centralized logging platform and alert on requests targeting private CIDR ranges
- Apply egress filtering rules that deny outbound traffic from MISP hosts to internal management networks and metadata services
- Track the installed MISP Modules version and flag any deployment running below 3.0.7
How to Mitigate CVE-2026-44363
Immediate Actions Required
- Upgrade MISP Modules to version 3.0.7 or later on all MISP deployments
- Restrict outbound network access from the MISP Modules host to only required external services
- Block MISP Modules from reaching cloud metadata endpoints and internal management interfaces
Patch Information
The maintainers fixed CVE-2026-44363 in MISP Modules 3.0.7. The patch validates URL schemes, blocks local and private address ranges, resolves hostnames prior to fetching, enforces request timeouts, and re-enables TLS certificate verification. Review the upstream commit 01a522f2 for the full change set.
Workarounds
- Disable the html_to_markdown and qrcode modules until the upgrade can be applied
- Place MISP Modules behind an egress proxy that enforces destination allowlists and certificate validation
- Apply host-based firewall rules denying MISP Modules access to 127.0.0.0/8, RFC 1918 ranges, and 169.254.0.0/16
# Configuration example: upgrade MISP Modules to the fixed release
pip install --upgrade misp-modules==3.0.7
systemctl restart misp-modules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
