CVE-2026-56423 Overview
CVE-2026-56423 is a broken access control vulnerability [CWE-862] in MISP (Malware Information Sharing Platform) Core. The flaw resides in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorize deletion using broad role-level permissions instead of validating authorization for each selected object. An authenticated attacker holding the relevant role flag can hard-delete Event Reports and Sharing Groups owned by other organisations across the instance.
Critical Impact
Authenticated contributor-level or sharing-group-capable users can permanently delete Event Reports and Sharing Groups belonging to other organisations, causing instance-wide loss of threat intelligence content and sharing configuration.
Affected Products
- MISP Core (misp-project/misp)
- EventReportsController::deleteSelection handler
- SharingGroupsController::deleteSelection handler
Discovery Timeline
- 2026-06-22 - CVE-2026-56423 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-56423
Vulnerability Analysis
The vulnerability stems from authorization checks that operate at the wrong granularity. MISP enforces per-object ownership in single-object delete actions but the bulk deleteSelection endpoints check only role-level capabilities. An attacker submits a list of report IDs, UUIDs, or sharing group IDs and the handler iterates through each item without verifying ownership.
For Event Reports, the handler accepted any user holding perm_add. A contributor-level account from any organisation could therefore submit identifiers for reports owned by other organisations and trigger hard deletion. For Sharing Groups, the handler accepted any user holding perm_sharing_group, bypassing the checkIfOwner gate that protects the single-object delete path.
The result is cross-organisation data destruction on a shared MISP instance. Threat intelligence content and sharing topology can be wiped by any authenticated user with the broad role flag.
Root Cause
The checkModifyCallback callbacks in both controllers returned a single role permission boolean rather than performing per-row authorization. The bulk action did not mirror the ACL scope enforced by the single-object delete action.
Attack Vector
An authenticated user with perm_add or perm_sharing_group submits a crafted bulk delete request containing identifiers for objects owned by other organisations. The server processes each item, the role-level check returns true, and each object is hard-deleted without consulting per-object ownership.
// Patch: app/Controller/EventReportsController.php
'itemName' => 'EventReport',
'view' => 'ajax/eventReportDeleteConfirmationForm',
'checkModifyCallback' => function($itemId) {
- return $this->userRole['perm_add'];
+ // DPT-1: enforce per-row ownership, mirroring delete().
+ // A bare perm_add flag let any contributor batch-delete
+ // reports owned by other orgs - deleteSelection resolves
+ // rows by id/uuid with no ACL scope of its own.
+ $report = $this->EventReport->fetchIfAuthorized(
+ $this->Auth->user(), $itemId, 'delete', false, false
+ );
+ return !empty($report['EventReport']);
},
// Source: https://github.com/MISP/MISP/commit/ada02fa6d7558732aa4712fd5e9451cd8c5b7a64
// Patch: app/Controller/SharingGroupsController.php
'itemName' => 'SharingGroup',
'view' => 'ajax/sharingGroupDeleteConfirmationForm',
'checkModifyCallback' => function($itemId) {
- return $this->userRole['perm_sharing_group'];
+ // DPT-1: enforce per-row ownership, mirroring delete().
+ // A bare perm_sharing_group flag let any SG-capable user
+ // batch-delete sharing groups they don't own; the single
+ // delete() gates on checkIfOwner, deleteSelection skipped it.
+ return $this->SharingGroup->checkIfOwner(
+ $this->Auth->user(), $itemId
+ );
},
// Source: https://github.com/MISP/MISP/commit/f99b3f16ef22c7acf10e17036c777759cf031c15
Detection Methods for CVE-2026-56423
Indicators of Compromise
- HTTP POST requests to /eventReports/deleteSelection or /sharing_groups/deleteSelection originating from users whose organisation does not own the listed identifiers.
- Audit log entries showing hard deletion of Event Reports or Sharing Groups owned by organisations other than the requesting user.
- Sudden drops in Event Report counts or Sharing Group definitions without corresponding administrative action.
Detection Strategies
- Correlate MISP audit logs against organisation ownership records to flag deletions where actor org and object owner org differ.
- Alert on bulk deletion requests containing more than a typical threshold of identifiers per call.
- Monitor for users with perm_add or perm_sharing_group invoking deleteSelection endpoints.
Monitoring Recommendations
- Forward MISP application logs and web server access logs to a centralized logging platform for retention and querying.
- Track HTTP 200 responses on deleteSelection routes paired with the identifier counts in the request body.
- Establish a baseline of normal bulk deletion activity per user and alert on deviations.
How to Mitigate CVE-2026-56423
Immediate Actions Required
- Update MISP to the version containing commits ada02fa6d7558732aa4712fd5e9451cd8c5b7a64 and f99b3f16ef22c7acf10e17036c777759cf031c15.
- Audit recent deleteSelection activity in MISP logs and restore deleted Event Reports and Sharing Groups from backup where unauthorized deletion is identified.
- Review which user accounts hold perm_add and perm_sharing_group and revoke flags from accounts that do not require them.
Patch Information
The MISP project addressed the issue with two commits to MISP Core. The EventReports patch replaces the perm_add check with EventReport::fetchIfAuthorized($user, $itemId, 'delete'). The SharingGroups patch replaces the perm_sharing_group check with SharingGroup::checkIfOwner($user, $itemId). Apply both commits or upgrade to a release that includes them.
Workarounds
- Temporarily restrict the perm_add and perm_sharing_group role flags to trusted administrators until the patch is applied.
- Block access to /eventReports/deleteSelection and /sharing_groups/deleteSelection at the reverse proxy or web application firewall.
- Increase backup frequency of the MISP database to limit potential data loss until patching completes.
# Example: pull latest MISP and apply the security commits
cd /var/www/MISP
sudo -u www-data git fetch origin
sudo -u www-data git cherry-pick ada02fa6d7558732aa4712fd5e9451cd8c5b7a64
sudo -u www-data git cherry-pick f99b3f16ef22c7acf10e17036c777759cf031c15
sudo systemctl restart apache2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

