CVE-2026-44379 Overview
CVE-2026-44379 is an input validation vulnerability in MISP, the open source threat intelligence and sharing platform. Prior to version 2.5.37, MISP Collections did not enforce RFC 4122 Universally Unique Identifier (UUID) validation on the uuid field. Authenticated users with permission to create or modify Collection records could submit malformed UUID values. This may cause integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers. The vulnerability is tracked under [CWE-20] Improper Input Validation and is fixed in MISP 2.5.37.
Critical Impact
Authenticated MISP users can corrupt Collection record integrity by submitting non-RFC 4122 UUID values, undermining downstream code paths that rely on UUID well-formedness.
Affected Products
- MISP versions prior to 2.5.37
- MISP Collections feature (uuid field handling)
- Deployments that allow user creation or modification of Collection records
Discovery Timeline
- 2026-05-13 - CVE-2026-44379 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44379
Vulnerability Analysis
The flaw resides in the MISP Collections feature, which exposes a uuid field on Collection records. The application accepted user-supplied values into this field without verifying conformance to RFC 4122. As a result, malformed UUIDs persisted in the database alongside well-formed identifiers.
MISP code paths that consume Collection UUIDs assume the values conform to a fixed 8-4-4-4-12 hexadecimal format. When a malformed UUID is encountered, downstream logic can return inconsistent results, fail lookups, or produce integrity errors during synchronization, export, and correlation operations. The issue affects data integrity rather than confidentiality or availability.
Root Cause
The root cause is missing server-side validation on the uuid attribute of the Collection model. The Collection controller did not invoke a UUID format check before persisting records. The fix, applied in commit f8b20358c3cd8fd3d784452901876f2db0acbf05, adds explicit RFC 4122 validation so that non-conforming values are rejected at the API and form layer.
Attack Vector
Exploitation requires an authenticated MISP account with privileges to create or modify Collection records. An attacker submits a Collection create or update request with a crafted uuid value that violates RFC 4122 structure. The malformed identifier is stored and later consumed by features that expect a valid UUID, producing integrity issues across affected Collection-aware workflows. No user interaction or elevated privileges beyond Collection write access are required. See the GitHub Security Advisory GHSA-jrvj-84mg-8f29 for upstream technical details.
Detection Methods for CVE-2026-44379
Indicators of Compromise
- Collection records whose uuid column does not match the RFC 4122 regex ^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{4}-[0-9a-f]{12}$.
- API audit log entries showing POST or PUT requests to Collection endpoints with non-standard uuid payload values.
- Synchronization or correlation errors referencing Collection identifiers that fail UUID parsing.
Detection Strategies
- Run a database query over the collections table to enumerate records with malformed uuid values and review their creation metadata.
- Inspect MISP application logs for Collection create or update operations performed by users with write permissions on Collection objects.
- Compare Collection UUIDs across synchronized MISP instances to detect divergence introduced by malformed identifiers.
Monitoring Recommendations
- Enable verbose audit logging on MISP Collection endpoints and forward events to a centralized log platform for review.
- Alert on any Collection record creation by accounts that historically have not used the Collections feature.
- Track the MISP version banner across deployments to confirm all instances are running 2.5.37 or later.
How to Mitigate CVE-2026-44379
Immediate Actions Required
- Upgrade all MISP instances to version 2.5.37 or later as published in the upstream commit.
- Audit existing Collection records and remove or correct entries with malformed UUIDs before resuming synchronization.
- Review user permissions and revoke Collection write access from accounts that do not require it.
Patch Information
The MISP maintainers fixed CVE-2026-44379 in release 2.5.37. The patch enforces RFC 4122 UUID validation on the Collection uuid field at the model layer, rejecting malformed values during create and update operations. Operators should apply the official update from the MISP project repository and restart the application service after deployment.
Workarounds
- Restrict Collection create and modify permissions to a small set of trusted administrators until the patch is applied.
- Apply a temporary database constraint or trigger that rejects non-RFC 4122 values inserted into the Collections uuid column.
- Place a reverse proxy rule in front of the MISP API that validates uuid parameters on Collection endpoints against the canonical UUID format.
# Verify MISP version and pull the fixed release
cd /var/www/MISP
sudo -u www-data git fetch --tags
sudo -u www-data git checkout v2.5.37
sudo -u www-data git submodule update --init --recursive
sudo systemctl restart apache2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
