CVE-2026-44380 Overview
CVE-2026-44380 is an improper access control vulnerability in MISP, an open source threat intelligence and sharing platform. The flaw resides in the authentication key reset functionality of MISP versions prior to 2.5.37. An authenticated organization administrator can reset authentication keys belonging to site administrator accounts within the same organization. The application fails to prevent non-site administrators from accessing or resetting site administrator authentication keys. An attacker holding organization administrator privileges can obtain a newly generated authentication key for a higher-privileged account and use it to escalate privileges. The issue is tracked under [CWE-863] Incorrect Authorization and is fixed in MISP 2.5.37.
Critical Impact
An authenticated organization administrator can reset and steal site administrator authentication keys, enabling full privilege escalation within the MISP instance.
Affected Products
- MISP threat intelligence and sharing platform
- All MISP versions prior to 2.5.37
- MISP 2.5.37 contains the official fix
Discovery Timeline
- 2026-05-13 - CVE-2026-44380 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44380
Vulnerability Analysis
MISP exposes authentication key management endpoints that allow administrators to create, view, and reset API keys. These keys grant programmatic access to the MISP REST API with the privileges of the associated user account. The authorization logic surrounding the key reset action does not validate whether the requesting administrator has equal or greater privileges than the target user. As a result, an organization administrator can invoke the reset operation against a site administrator account in the same organization. MISP returns the freshly generated authentication key in the response, which the attacker can immediately use to authenticate as the higher-privileged user. This produces a complete vertical privilege escalation from organization administrator to site administrator.
Root Cause
The root cause is a missing privilege boundary check in the authentication key reset controller. MISP's role model distinguishes between organization administrators, who manage users within a single organization, and site administrators, who manage the entire instance. The reset workflow only verified that the caller held administrator status within the target user's organization. It did not confirm that the caller's role was equal to or greater than the target's role. This omission falls under [CWE-863] Incorrect Authorization.
Attack Vector
Exploitation requires network access to the MISP web interface and valid organization administrator credentials. The attacker navigates to the user administration interface, selects a site administrator account belonging to the same organization, and triggers the authentication key reset. MISP issues a new API key and exposes it to the attacker. The attacker then sends authenticated requests to the MISP API using the captured key, inheriting site administrator privileges across the instance. Refer to the GitHub Security Advisory GHSA-3939-4g6m-m3hc for further technical context.
Detection Methods for CVE-2026-44380
Indicators of Compromise
- Unexpected authentication key reset events in MISP audit logs targeting site administrator accounts.
- API requests originating from new or unfamiliar source addresses using site administrator keys shortly after a reset event.
- Audit log entries showing organization administrators performing administrative actions against users outside their normal scope.
Detection Strategies
- Review MISP application logs for users/resetauthkey actions where the actor role is lower than the target role.
- Correlate authentication key reset events with subsequent API activity from the affected account to identify abuse.
- Alert on any reset of a site administrator key initiated by a non-site administrator user.
Monitoring Recommendations
- Enable verbose MISP audit logging and forward logs to a centralized SIEM for retention and correlation.
- Baseline normal administrative activity per user role and flag deviations such as cross-role key resets.
- Monitor REST API access patterns for site administrator keys, including geographic and user-agent anomalies.
How to Mitigate CVE-2026-44380
Immediate Actions Required
- Upgrade all MISP instances to version 2.5.37 or later without delay.
- Rotate all site administrator authentication keys after upgrading to invalidate any keys that may have been reset by an attacker.
- Audit recent authentication key reset events and investigate any reset performed by an organization administrator against a site administrator.
Patch Information
The vulnerability is fixed in MISP 2.5.37. The upstream patch enforces a privilege boundary check in the authentication key reset workflow, preventing administrators from resetting keys belonging to users with higher privileges. Full details are published in the MISP GitHub Security Advisory.
Workarounds
- Restrict organization administrator role assignments to a minimal trusted set of users until the patch is applied.
- Avoid placing site administrator accounts in shared organizations that also contain organization administrators.
- Require multi-person review of any administrative role changes and authentication key resets during the remediation window.
# Configuration example: upgrade MISP and rotate site admin auth keys
cd /var/www/MISP
sudo -u www-data git fetch --tags
sudo -u www-data git checkout v2.5.37
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateDatabase
# Then, from the MISP UI, rotate all site administrator authentication keys
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
