Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-60124

CVE-2026-60124: MISP Authorization Bypass Vulnerability

CVE-2026-60124 is an authorization bypass flaw in MISP's EventsController::importModule() that allows authenticated read-only users to modify event data. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-60124 Overview

CVE-2026-60124 is an authorization bypass vulnerability in the Malware Information Sharing Platform (MISP). The flaw resides in the EventsController::importModule() method, which failed to verify event modification rights before persisting import module output. Authenticated users holding only view permissions, including read-only API keys, could inject or modify data on events they were not authorized to change. The issue is classified under [CWE-862] Missing Authorization and affects the integrity of MISP event content used by threat intelligence teams.

Critical Impact

A view-only account or read-only API key can write attacker-controlled data into restricted MISP events, corrupting threat intelligence integrity across sharing communities.

Affected Products

  • MISP (Malware Information Sharing Platform) — versions prior to the commit d0725fc34fda256cc57e5a8f0543cd541033e008
  • Deployments exposing the importModule endpoint to authenticated users with event view access
  • MISP instances issuing read-only API keys with view rights on shared events

Discovery Timeline

  • 2026-07-08 - CVE-2026-60124 published to the National Vulnerability Database (NVD)
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-60124

Vulnerability Analysis

The vulnerability sits in the write path of EventsController::importModule() in app/Controller/EventsController.php. When an import module returns results using the misp_standard format, MISP calls handleMispFormatFromModuleResult() and saves the resolved event without re-checking whether the caller can modify the target event. Related module result handlers such as __pushFreetext() gate writes on the $mayModify flag, but the misp_standard branch omitted that check.

As a result, any authenticated user with view rights on an event can trigger an import module and have its output written into that event. This includes attributes, objects, tags, and comments generated by the module. The impact is limited to integrity — no confidentiality or availability effects — but corrupted threat intelligence propagates to downstream consumers through MISP sync and export mechanisms.

Root Cause

The root cause is missing authorization enforcement [CWE-862] on a specific format branch. The misp_standard handling path assumed the enclosing controller action had already validated modification rights, but it had only validated view access. The fix enforces the same permission gate used elsewhere in the controller before saving module output.

Attack Vector

The attack requires network access to the MISP web interface or REST API and a valid low-privilege credential such as a read-only API key. The attacker calls the importModule action against an event they can view, supplies module input, and receives a response indicating the write succeeded despite lacking modify rights. No user interaction is required.

php
// Security patch in app/Controller/EventsController.php
// fix: [security] Enforce modify rights on importModule misp_standard write path
$importComment = !empty($result['comment']) ? $result['comment'] : 'Enriched via the ' . $module['name'] . ' module';
if (!empty($module['mispattributes']['format']) && $module['mispattributes']['format'] === 'misp_standard') {
    // TODO: route non-modifiers through proposals to match __pushFreetext().
    if (!$mayModify) {
        throw new ForbiddenException(__('You don\'t have permission to do that.'));
    }
    $resolvedEvent = $this->Event->handleMispFormatFromModuleResult($result);
    $resolvedEvent['Event'] = $event['Event'];
    if ($this->_isRest()) {

Source: GitHub MISP Commit d0725fc

Detection Methods for CVE-2026-60124

Indicators of Compromise

  • MISP audit log entries showing event modifications performed by users or API keys that hold only view permissions on the affected event
  • Attributes or objects tagged with the auto-generated comment Enriched via the <module> module on events the caller should not be able to write
  • POST requests to /events/importModule/* endpoints originating from read-only API keys

Detection Strategies

  • Review the MISP logs table for add, edit, or save actions on events where the acting user's role or API key lacks perm_modify for the event's org or sharing group
  • Correlate importModule requests in web server access logs with the acting user's permission profile to flag unauthorized writes
  • Baseline expected import module usage per user and alert on deviations, particularly from service or automation accounts

Monitoring Recommendations

  • Forward MISP application logs and web access logs to a central analytics platform for retention and correlation across users, API keys, and event IDs
  • Alert on any successful state-changing HTTP request to EventsController actions initiated by API keys marked read-only
  • Track event modification counts per API key and investigate sudden increases that correlate with importModule calls

How to Mitigate CVE-2026-60124

Immediate Actions Required

  • Update MISP to a build that includes commit d0725fc34fda256cc57e5a8f0543cd541033e008 or later
  • Audit existing API keys and revoke any read-only keys that show write activity on events since the vulnerability window began
  • Review recent event modifications performed through importModule and revert content originating from unauthorized principals

Patch Information

The fix adds a $mayModify check in EventsController::importModule() before invoking handleMispFormatFromModuleResult() for misp_standard results. Callers without modification rights now receive a ForbiddenException. Apply the upstream commit or upgrade to the next tagged MISP release that includes it. See the GitHub MISP Commit d0725fc for the exact diff.

Workarounds

  • Restrict access to the importModule action at the reverse proxy or web server level for users and API keys that only require read access
  • Disable import modules that return the misp_standard format until the patch is applied
  • Rotate API keys and reissue only those keys that require write privileges for automation workflows
bash
# Verify installed MISP includes the fix commit
cd /var/www/MISP
sudo -u www-data git log --oneline | grep d0725fc

# If missing, pull the patch
sudo -u www-data git fetch origin
sudo -u www-data git cherry-pick d0725fc34fda256cc57e5a8f0543cd541033e008
sudo systemctl restart apache2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.