CVE-2026-60125 Overview
CVE-2026-60125 is an authorization bypass vulnerability in MISP (Malware Information Sharing Platform). The importModule() code path called getEnabledModule() to resolve a single import module by name. This lookup did not enforce the per-organisation module restriction that getEnabledModules() applies. An authenticated user belonging to an organisation blocked via Plugin.Import_<module>_restrict could still invoke a restricted import module if they knew its name. The flaw maps to [CWE-863: Incorrect Authorization].
Critical Impact
Authenticated users can bypass organisation-level import module restrictions, potentially importing or modifying event data through modules that should be unavailable to their organisation.
Affected Products
- MISP (Malware Information Sharing Platform) prior to the fix in commit 0ed79b4d3177f4b9e44040962161a1a436d2587d
Discovery Timeline
- 2026-07-08 - CVE-2026-60125 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-60125
Vulnerability Analysis
MISP exposes import modules that can be gated per-organisation using the Plugin.Import_<module>_restrict configuration. The listing function getEnabledModules() filters modules based on the caller's organisation via a canUse check. The single-module lookup function getEnabledModule() did not apply that same restriction. When EventsController::importModule() used getEnabledModule() to resolve a module by name, the authorization check that normally excludes restricted modules was skipped.
An authenticated user who knew the name of a restricted module could invoke it directly. Depending on the module's behaviour and the user's event permissions, this could result in unauthorised import or modification of event data.
Root Cause
The root cause is inconsistent authorization enforcement between two related lookup paths. getEnabledModules() (plural) enforced the per-organisation canUse check. getEnabledModule() (singular) accepted only $name and $type parameters and had no access to the current user's organisation. Any caller relying on the singular form to determine module availability bypassed the organisation restriction.
Attack Vector
An attacker authenticated as a low-privilege user from a restricted organisation submits a request to the import module endpoint referencing the restricted module by name. The controller resolves the module via getEnabledModule() without evaluating organisation restrictions and dispatches the import operation.
// Patch in app/Controller/EventsController.php
}
$this->loadModel('Module');
- $module = $this->Module->getEnabledModule($moduleName, 'Import');
+ $module = $this->Module->getEnabledModule($moduleName, 'Import', $this->Auth->user());
if (!is_array($module)) {
throw new MethodNotAllowedException($module);
}
// Source: https://github.com/MISP/MISP/commit/0ed79b4d3177f4b9e44040962161a1a436d2587d
// Patch in app/Model/Module.php
/**
* @param string $name
* @param string $type
+ * @param array|null $user If provided, enforce the per-organisation module
+ * restriction (canUse), matching getEnabledModules().
* @return array|string
*/
- public function getEnabledModule($name, $type)
+ public function getEnabledModule($name, $type, array $user = null)
{
if (!isset(self::TYPE_TO_FAMILY[$type])) {
throw new InvalidArgumentException("Invalid type '$type'.");
// Source: https://github.com/MISP/MISP/commit/0ed79b4d3177f4b9e44040962161a1a436d2587d
Detection Methods for CVE-2026-60125
Indicators of Compromise
- Import module invocations in MISP logs originating from user accounts whose organisation is listed in Plugin.Import_<module>_restrict for that module.
- Unexpected event creation or modification events attributed to organisations that should not have access to a given import module.
- HTTP POST requests to /events/importModule/<moduleName>/* from users outside the module's allow-list.
Detection Strategies
- Correlate MISP audit log entries with the current Plugin.Import_*_restrict configuration to identify restricted-module usage by disallowed organisations.
- Baseline import module usage per organisation and flag first-time use of a module by an organisation not previously observed using it.
- Review event history for imports originating from modules that should be unavailable to the acting user's organisation.
Monitoring Recommendations
- Enable MISP audit logging and forward logs to a centralised SIEM for retention and query.
- Alert on any invocation of import modules that appear in a *_restrict configuration, cross-referenced with the invoking user's organisation.
- Monitor for anomalous spikes in event creation or attribute modification tied to specific import modules.
How to Mitigate CVE-2026-60125
Immediate Actions Required
- Update MISP to a build that includes commit 0ed79b4d3177f4b9e44040962161a1a436d2587d.
- Audit MISP audit logs for prior invocations of restricted import modules by disallowed organisations.
- Review event data recently imported or modified via restricted modules and roll back unauthorised changes.
Patch Information
The fix is available in the MISP repository. Model/Module.php was updated so getEnabledModule() accepts an optional $user array and applies the same canUse per-organisation check performed by getEnabledModules(). EventsController::importModule() was updated to pass $this->Auth->user() when resolving the requested module. See the MISP security commit 0ed79b4 for the full patch.
Workarounds
- Restrict access to the import module endpoints at the reverse proxy or web application firewall level for users in organisations that should not use them, until the patch is applied.
- Temporarily disable import modules that are configured with Plugin.Import_<module>_restrict if the restriction is critical.
- Reduce user roles so that lower-privileged accounts cannot invoke event import operations until the fix is deployed.
# Apply the upstream fix from the MISP repository
cd /var/www/MISP
sudo -u www-data git fetch origin
sudo -u www-data git cherry-pick 0ed79b4d3177f4b9e44040962161a1a436d2587d
sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

