Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56422

CVE-2026-56422: MISP Auth Bypass Vulnerability

CVE-2026-56422 is an authentication bypass vulnerability in MISP that allows authenticated users to manipulate object ownership and scope through crafted payloads. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-56422 Overview

CVE-2026-56422 is a mass assignment vulnerability affecting multiple Malware Information Sharing Platform (MISP) core controllers and model capture paths. The flaw allows authenticated users to submit crafted REST or form payloads containing client-controlled primary keys and ownership foreign keys such as id, event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, and organisation_uuid. Because affected paths did not consistently strip, pin, or revalidate these fields against the server-authorized object, attackers can cause MISP to save data against an object different from the one checked by authorization logic. The vulnerability is tracked under CWE-639: Authorization Bypass Through User-Controlled Key.

Critical Impact

An authenticated MISP user can overwrite arbitrary objects, transfer ownership, re-parent records, hijack sharing-group scope, retarget proposals, or inject stored attacker-controlled content into another user's context.

Affected Products

  • MISP (Malware Information Sharing Platform) core controllers and model capture paths
  • MISP ServersController, ShadowAttributesController, and related create/edit/import flows
  • MISP CRUDComponent::edit() and Taxonomy model save paths

Discovery Timeline

  • 2026-06-22 - CVE-2026-56422 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-56422

Vulnerability Analysis

The vulnerability stems from MISP controllers and models accepting client-supplied fields verbatim and passing them to CakePHP save() operations without stripping or re-pinning identifiers. An authenticated user with legitimate access to one object can craft payloads that redirect the save to a different, unauthorized row. Depending on the endpoint, this enables object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event or object injection, proposal retargeting, and stored cross-user content injection. The GitHub patch for commit 7acf8220c describes the central issue: CRUDComponent::edit() copied supplied fields, including a payload primary key, onto the loaded record. CakePHP save() then updated an arbitrary row instead of the originally authorized one.

Root Cause

The root cause is missing input filtering on ownership and identity fields throughout create, edit, and import flows. MISP authorization logic validated access against the loaded object, but the subsequent save honored a different id or foreign key supplied by the client. No central field whitelist or primary-key re-pin enforced consistency between the authorization check and the persisted row.

Attack Vector

An authenticated attacker submits a crafted REST or form payload to a vulnerable endpoint. The payload includes additional fields such as id, event_id, org_id, or sharing_group_id that point to objects the attacker does not own. MISP loads the authorized object, merges the attacker-controlled fields, and persists the result against the attacker-chosen target row.

php
                     if (empty($this->request->data['Server']['pull_rules'])) {
                         $this->request->data['Server']['pull_rules'] = $defaultPullRules;
                     }
+                    // This action only ever creates a new server entry. Strip any
+                    // client-supplied id so an injected Server[id] cannot turn this
+                    // INSERT into a covert UPDATE of an arbitrary server row (sync
+                    // url/authkey/push-pull rule hijack) - save() with no fieldList
+                    // here would otherwise honour it. Reported by Jeroen Pinoy.
+                    unset($this->request->data['Server']['id']);
                     if ($this->Server->save($this->request->data)) {
                         if (isset($this->request->data['Server']['submitted_cert'])) {
                             $this->__saveCert($this->request->data, $this->Server->id, false);

Source: MISP Commit 00b2e3d - ServersController.php fix

php
         ]];
         $predicateLookup = array();
         foreach ($vocab['predicates'] as $k => $predicate) {
+            // An import only ever creates fresh predicates. Strip any client-supplied
+            // primary key so a crafted `id` cannot turn the deep saveAssociated() below
+            // into an UPDATE that re-parents/overwrites a predicate owned by another
+            // taxonomy (cross-taxonomy hijack). As reported by Jeroen Pinoy.
+            unset($predicate['id']);
             $taxonomy['Taxonomy']['TaxonomyPredicate'][$k] = $predicate;
             $predicateLookup[$predicate['value']] = $k;
         }

Source: MISP Commit 025f711 - Taxonomy.php fix

Detection Methods for CVE-2026-56422

Indicators of Compromise

  • MISP audit log entries showing object modifications by users without expected ownership of the target event_id, org_id, or sharing_group_id.
  • Unexpected changes to Server records, including modified sync URLs, authkeys, or pull rules attributed to non-administrator accounts.
  • Taxonomy predicates or galaxy clusters re-parented across taxonomies or organizations without corresponding administrative actions.
  • ShadowAttribute proposals where old_id references attributes the proposing user could not legitimately target.

Detection Strategies

  • Review MISP REST API and form POST payloads for client-supplied id, event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, or organisation_uuid fields on create endpoints.
  • Correlate authorization decisions logged by MISP with the primary key of the row ultimately persisted, flagging mismatches.
  • Hunt for Server table updates initiated from non-admin sessions where the persisted row differs from the requesting user's scope.

Monitoring Recommendations

  • Enable verbose MISP audit logging and forward events to a centralized data lake for retrospective hunting.
  • Monitor request bodies sent to MISP create and edit endpoints for unexpected primary key or foreign key fields.
  • Alert on bulk modifications to taxonomy, galaxy cluster, sharing group, and server records performed via API tokens.

How to Mitigate CVE-2026-56422

Immediate Actions Required

  • Upgrade MISP to a version that includes the referenced commits, including 7acf8220c, 00b2e3d, 025f711, 05aad41, and the remaining patches listed in the security advisory.
  • Rotate MISP API authentication keys and Server sync credentials, since the vulnerability could be used to hijack sync configuration.
  • Audit Server, taxonomy, sharing group, and galaxy cluster records for unauthorized changes prior to patching.

Patch Information

The MISP project addressed CVE-2026-56422 across multiple commits in the mass assignment fix sweep. Notable patches include 7acf8220c (central CRUDComponent::edit() primary-key re-pin), 00b2e3d (ServersController create flow), 025f711 (Taxonomy import), and 05aad41 (ShadowAttributesControllerold_id pinning). Additional commits 2cc26f3, 3ff6bd9, 5743301, 58f637a, 634f1f8, 63aebc2, 8311427, 84bafe6, 9341690, ab9619d, bc182d5, and c80a353 harden related create, edit, and import paths. See the MISP GitHub commit history for the full list.

Workarounds

  • Restrict MISP user permissions to the minimum required, reducing the scope of objects an authenticated attacker can authorize against.
  • Disable or limit access to REST API endpoints for non-administrator accounts until patches are applied.
  • Place MISP behind a reverse proxy that strips or rejects unexpected fields such as id, org_id, and sharing_group_id on create endpoints.
bash
# Example: pin MISP to a patched commit when deploying from source
cd /var/www/MISP
sudo -u www-data git fetch origin
sudo -u www-data git checkout 7acf8220cafac58bcfb362da37aca512fe4bb396
sudo -u www-data git submodule update --init --recursive
sudo systemctl restart apache2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.