CVE-2026-44381 Overview
CVE-2026-44381 is a SQL injection vulnerability in MISP, an open source threat intelligence and sharing platform. The flaw exists in the event and shadow attribute listing endpoints, which accept user-controlled order or sort parameters and pass them into database query ordering clauses without sufficient field name validation. An authenticated or unauthenticated attacker with access to the affected endpoints can craft malicious ordering parameters to manipulate the generated SQL query. The issue is tracked under [CWE-89] and was fixed in MISP version 2.5.37.
Critical Impact
Successful exploitation can lead to unauthorized data access, query behavior modification, or further database-level compromise depending on database permissions.
Affected Products
- MISP versions prior to 2.5.37
- MISP event listing endpoint
- MISP shadow attribute listing endpoint
Discovery Timeline
- 2026-05-13 - CVE-2026-44381 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44381
Vulnerability Analysis
The vulnerability resides in MISP's handling of request parameters that control result ordering in event and shadow attribute listings. The application accepts order or sort values directly from HTTP request parameters and incorporates them into SQL ORDER BY clauses. The affected code path does not validate that the supplied value matches an allowlist of permitted column names. As a result, attacker-supplied SQL fragments are interpolated into the query string sent to the database.
SQL injection in ORDER BY clauses is particularly dangerous because parameterized queries do not bind identifiers. Developers must enforce strict allowlists on column names. The MISP code path failed to enforce such validation, producing the conditions described by [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Root Cause
The root cause is missing input validation on the order and sort request parameters before they are concatenated into the SQL query. MISP relied on user-controlled string values to identify the column used for ordering without verifying the value against a known set of sortable fields.
Attack Vector
The attack vector is network-based and requires no user interaction. An attacker sends crafted HTTP requests to the event or shadow attribute listing endpoints with malicious payloads in the order or sort parameters. Depending on database engine and account privileges, the attacker can extract sensitive threat intelligence data, modify query semantics through stacked subqueries, or pivot to broader database operations. Refer to the GitHub Security Advisory GHSA-4cxp-22wm-j6jr for technical details.
Detection Methods for CVE-2026-44381
Indicators of Compromise
- HTTP requests to MISP event or shadow attribute listing endpoints containing SQL keywords such as SELECT, UNION, SLEEP, BENCHMARK, or parentheses inside order or sort parameters.
- Database error messages or unusually long response times correlated with requests to listing endpoints.
- Web server access logs showing repeated parameter fuzzing against listing endpoints from the same source IP.
Detection Strategies
- Inspect MISP web access logs for order= or sort= parameter values that do not match the expected allowlist of column names.
- Deploy web application firewall (WAF) signatures targeting SQL injection patterns in ordering parameters.
- Enable database query logging on the MISP backend and alert on ORDER BY clauses containing subqueries or function calls.
Monitoring Recommendations
- Monitor for unexpected outbound data volume from the MISP database host, which may indicate exfiltration.
- Audit MISP user activity for unusual API access patterns against listing endpoints outside normal business hours.
- Track failed and successful authentications to the MISP platform and correlate with anomalous query parameters.
How to Mitigate CVE-2026-44381
Immediate Actions Required
- Upgrade MISP to version 2.5.37 or later, which contains the fix for the SQL injection vulnerability.
- Restrict network access to the MISP instance to trusted analyst networks and VPN ranges until patching is complete.
- Review database account permissions used by MISP and apply least-privilege principles.
Patch Information
The vulnerability is fixed in MISP 2.5.37. The fix introduces validation of order and sort parameter values against an allowlist of permitted column names before inclusion in SQL queries. See the MISP GitHub Security Advisory for the official remediation guidance.
Workarounds
- Place MISP behind a reverse proxy or WAF that blocks SQL metacharacters in order and sort query parameters.
- Temporarily restrict access to the event and shadow attribute listing endpoints to authenticated, trusted users only.
- Audit existing MISP user accounts and disable any unused or stale credentials to reduce exposure.
# Example WAF rule pattern to block suspicious ordering parameters
# ModSecurity-style rule
SecRule ARGS:order|ARGS:sort "@rx (?i)(select|union|sleep|benchmark|\(|;|--)" \
"id:1004438,phase:2,deny,status:403,msg:'Possible SQLi in MISP ordering parameter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
