Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56424

CVE-2026-56424: MISP Auth Bypass Vulnerability

CVE-2026-56424 is an authorization bypass flaw in Misp-project MISP that allows authenticated users to modify or delete cross-organization data. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-56424 Overview

CVE-2026-56424 affects MISP (Malware Information Sharing Platform), an open-source threat intelligence platform. The vulnerability stems from multiple broken access control flaws [CWE-639] where authorization checks validate the wrong entity or omit ownership verification on write paths. Authenticated users holding subsystem-specific feature permissions can authorize one object while mutating another, or modify objects that are only visible rather than editable to their organization. Affected subsystems include Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Models.

Critical Impact

Authenticated users with low-level subsystem permissions can perform unauthorized cross-organization modifications and deletions of MISP data, undermining the integrity of shared threat intelligence.

Affected Products

  • MISP (Malware Information Sharing Platform) core
  • misp-project:misp installations exposing Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Model subsystems
  • Multi-tenant MISP deployments sharing intelligence across organizations

Discovery Timeline

  • 2026-06-22 - CVE-2026-56424 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-56424

Vulnerability Analysis

The MISP codebase contained five distinct Insecure Direct Object Reference (IDOR) patterns where authorization checks ran against an attacker-controlled identifier rather than the identifier of the object being mutated. In the Event Reports removeTag action, the route-level authorization validated one report while the detach operation used a report ID supplied in the request body, allowing a user with perm_tagger to strip tags from reports they could not modify.

The Collection Elements deleteSelection handler passed the element row ID to mayModify(), a function that expects a collection ID. The check therefore validated a collection whose ID coincidentally matched the element row ID. Analyst Data capture and update paths bypassed the canEditAnalystData ownership check on nested updates, allowing one organization to overwrite another organization's analyst data. Template Elements and Decaying Models exhibited the same wrong-entity authorization pattern on edit and remap operations.

Root Cause

The root cause is consistent use of identifiers from request input or sibling rows when invoking authorization helpers, instead of resolving authorization against the actual parent or target entity. Write paths also loaded models using view-scope access without re-verifying edit ownership.

Attack Vector

An authenticated user with subsystem-specific permissions issues a normal write request, supplying object identifiers crafted so the route-authorized entity differs from the entity actually mutated. No additional privileges or user interaction are required.

php
// Patch: Event Reports removeTag wrong-entity authorization (DPT-2)
// Source: https://github.com/MISP/MISP/commit/24d7e91339a3ef043652dd5799c36e5065b2bb4a
                $tag_id = $tag['Tag']['id'];
            }
            if (!is_numeric($id)) {
-                $id = $this->request->data['EventReport']['id'];
+                // DPT-2: pin the detach target to the route-authorised
+                // report. Reading the id from the body let it diverge from
+                // the report __canModifyTag() authorises against (which uses
+                // the route report's event), so a perm_tagger user could
+                // strip tags off a report they may not modify (IDOR).
+                $id = $report['EventReport']['id'];
            }
php
// Patch: CollectionElements deleteSelection wrong-entity authorization (DPT-3)
// Source: https://github.com/MISP/MISP/commit/57ad774d21bd1863d060a9e6e73ae54eb96784ce
-            'checkModifyCallback' => function($itemId) {
-                return $this->CollectionElement->Collection->mayModify($this->Auth->user('id'), $itemId);
+            'checkModifyCallback' => function($itemId, $item) {
+                // DPT-3: authorise against the element's OWN collection,
+                // not a collection whose id happens to equal the element id.
+                $collectionId = $item['CollectionElement']['collection_id'];
+                return $this->CollectionElement->Collection->mayModify($this->Auth->user('id'), $collectionId);
            },
php
// Patch: AnalystData capture bypassed canEditAnalystData on update (DPT-4)
// Source: https://github.com/MISP/MISP/commit/3aecc04d5816189412b589cf590c6dbe9a8db5c0
+            if (
+                !$user['Role']['perm_sync'] && !$user['Role']['perm_site_admin'] &&
+                !$analystModel->canEditAnalystData($user, $existingAnalystData, $type)
+            ) {
+                $results['errors'][] = __('Cannot edit analyst data (%s) created by another organisation.', $analystData[$type]['uuid']);
+                $results['failed']++;
+                return $results;
+            }

Detection Methods for CVE-2026-56424

Indicators of Compromise

  • Audit log entries showing tag removals on Event Reports by users whose organization does not own the parent event.
  • Bulk delete events in CollectionElements where the actor's organization differs from the parent collection's owning organization.
  • Updates to AnalystData records where orgc_uuid matches the previous owner but the editing user belongs to a different organization.
  • Modifications to Template Elements or Decaying Models authored by another organization without an explicit sharing change.

Detection Strategies

  • Correlate write actions in EventReportsController, CollectionElementsController, AnalystData, Template Elements, and Decaying Model endpoints with the acting user's organization identifier.
  • Alert on any request where the id field in the request body differs from the route-level resource identifier for tag detach operations.
  • Compare created_by_org of mutated rows against the authenticated user's org_id at the database layer.

Monitoring Recommendations

  • Enable MISP audit logging and forward records to a centralized log platform for cross-organization mutation analysis.
  • Track high-frequency write activity from non-administrative roles such as perm_tagger, perm_modify, and perm_analyst_data.
  • Monitor MISP HTTP access logs for parameter tampering patterns on Event Report and Collection Element endpoints.

How to Mitigate CVE-2026-56424

Immediate Actions Required

  • Apply the upstream MISP commits that correct the wrong-entity authorization checks across the affected controllers and models.
  • Review user role assignments and revoke perm_tagger, perm_analyst_data, and template or decaying model edit permissions where not strictly required.
  • Audit recent modifications to Event Reports, Collection Elements, Analyst Data, Template Elements, and Decaying Models for unauthorized cross-organization changes.

Patch Information

MISP maintainers published fixes in the following commits: 24d7e913, 3aecc04d, 57ad774d, 744005ce, and ba2f51fe. Upgrade to a MISP release that incorporates all five commits.

Workarounds

  • Restrict subsystem-specific permissions (Event Report tagging, Collection Element management, Analyst Data editing, Template editing, Decaying Model editing) to trusted users until patches are applied.
  • Place MISP behind a reverse proxy and log all POST, PUT, and DELETE requests against the affected controllers for retrospective review.
  • Disable or limit cross-organization sharing for sensitive Event Reports and Analyst Data records.
bash
# Verify the running MISP commit includes the five security fixes
cd /var/www/MISP
sudo -u www-data git log --oneline | grep -E '24d7e91|3aecc04|57ad774|744005c|ba2f51f'

# Pull the latest 2.4 branch and update dependencies
sudo -u www-data git fetch --all
sudo -u www-data git checkout 2.4
sudo -u www-data git pull origin 2.4
sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.