Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-60125

CVE-2026-60125: MISP Auth Bypass Vulnerability

CVE-2026-60125 is an authentication bypass flaw in MISP that allows users to access restricted import modules, potentially enabling unauthorized data modification. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-60125 Overview

CVE-2026-60125 is an authorization bypass vulnerability in MISP (Malware Information Sharing Platform). The importModule() code path called getEnabledModule() to resolve a single import module by name. This lookup did not enforce the per-organisation module restriction that getEnabledModules() applies. An authenticated user belonging to an organisation blocked via Plugin.Import_<module>_restrict could still invoke a restricted import module if they knew its name. The flaw maps to [CWE-863: Incorrect Authorization].

Critical Impact

Authenticated users can bypass organisation-level import module restrictions, potentially importing or modifying event data through modules that should be unavailable to their organisation.

Affected Products

  • MISP (Malware Information Sharing Platform) prior to the fix in commit 0ed79b4d3177f4b9e44040962161a1a436d2587d

Discovery Timeline

  • 2026-07-08 - CVE-2026-60125 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-60125

Vulnerability Analysis

MISP exposes import modules that can be gated per-organisation using the Plugin.Import_<module>_restrict configuration. The listing function getEnabledModules() filters modules based on the caller's organisation via a canUse check. The single-module lookup function getEnabledModule() did not apply that same restriction. When EventsController::importModule() used getEnabledModule() to resolve a module by name, the authorization check that normally excludes restricted modules was skipped.

An authenticated user who knew the name of a restricted module could invoke it directly. Depending on the module's behaviour and the user's event permissions, this could result in unauthorised import or modification of event data.

Root Cause

The root cause is inconsistent authorization enforcement between two related lookup paths. getEnabledModules() (plural) enforced the per-organisation canUse check. getEnabledModule() (singular) accepted only $name and $type parameters and had no access to the current user's organisation. Any caller relying on the singular form to determine module availability bypassed the organisation restriction.

Attack Vector

An attacker authenticated as a low-privilege user from a restricted organisation submits a request to the import module endpoint referencing the restricted module by name. The controller resolves the module via getEnabledModule() without evaluating organisation restrictions and dispatches the import operation.

php
// Patch in app/Controller/EventsController.php
        }

        $this->loadModel('Module');
-        $module = $this->Module->getEnabledModule($moduleName, 'Import');
+        $module = $this->Module->getEnabledModule($moduleName, 'Import', $this->Auth->user());
        if (!is_array($module)) {
            throw new MethodNotAllowedException($module);
        }
// Source: https://github.com/MISP/MISP/commit/0ed79b4d3177f4b9e44040962161a1a436d2587d
php
// Patch in app/Model/Module.php
    /**
     * @param string $name
     * @param string $type
+    * @param array|null $user If provided, enforce the per-organisation module
+    *                         restriction (canUse), matching getEnabledModules().
     * @return array|string
     */
-    public function getEnabledModule($name, $type)
+    public function getEnabledModule($name, $type, array $user = null)
    {
        if (!isset(self::TYPE_TO_FAMILY[$type])) {
            throw new InvalidArgumentException("Invalid type '$type'.");
// Source: https://github.com/MISP/MISP/commit/0ed79b4d3177f4b9e44040962161a1a436d2587d

Detection Methods for CVE-2026-60125

Indicators of Compromise

  • Import module invocations in MISP logs originating from user accounts whose organisation is listed in Plugin.Import_<module>_restrict for that module.
  • Unexpected event creation or modification events attributed to organisations that should not have access to a given import module.
  • HTTP POST requests to /events/importModule/<moduleName>/* from users outside the module's allow-list.

Detection Strategies

  • Correlate MISP audit log entries with the current Plugin.Import_*_restrict configuration to identify restricted-module usage by disallowed organisations.
  • Baseline import module usage per organisation and flag first-time use of a module by an organisation not previously observed using it.
  • Review event history for imports originating from modules that should be unavailable to the acting user's organisation.

Monitoring Recommendations

  • Enable MISP audit logging and forward logs to a centralised SIEM for retention and query.
  • Alert on any invocation of import modules that appear in a *_restrict configuration, cross-referenced with the invoking user's organisation.
  • Monitor for anomalous spikes in event creation or attribute modification tied to specific import modules.

How to Mitigate CVE-2026-60125

Immediate Actions Required

  • Update MISP to a build that includes commit 0ed79b4d3177f4b9e44040962161a1a436d2587d.
  • Audit MISP audit logs for prior invocations of restricted import modules by disallowed organisations.
  • Review event data recently imported or modified via restricted modules and roll back unauthorised changes.

Patch Information

The fix is available in the MISP repository. Model/Module.php was updated so getEnabledModule() accepts an optional $user array and applies the same canUse per-organisation check performed by getEnabledModules(). EventsController::importModule() was updated to pass $this->Auth->user() when resolving the requested module. See the MISP security commit 0ed79b4 for the full patch.

Workarounds

  • Restrict access to the import module endpoints at the reverse proxy or web application firewall level for users in organisations that should not use them, until the patch is applied.
  • Temporarily disable import modules that are configured with Plugin.Import_<module>_restrict if the restriction is critical.
  • Reduce user roles so that lower-privileged accounts cannot invoke event import operations until the fix is deployed.
bash
# Apply the upstream fix from the MISP repository
cd /var/www/MISP
sudo -u www-data git fetch origin
sudo -u www-data git cherry-pick 0ed79b4d3177f4b9e44040962161a1a436d2587d
sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.