CVE-2026-9084 Overview
CVE-2026-9084 is an authentication bypass vulnerability in the Malware Information Sharing Platform (MISP) OpenID Connect (OIDC) authentication plugin. The plugin automatically linked an OIDC identity to an existing local user account based solely on the email claim when the local account had no stored sub (subject) value. Under insecure or untrusted Identity Provider (IdP) configurations where email ownership is not enforced, an attacker holding a valid OIDC token could assert a victim's email address and authenticate as that user. The flaw maps to [CWE-287: Improper Authentication] and enables account takeover of any local MISP user whose record lacks a bound subject identifier.
Critical Impact
Attackers with a valid OIDC token from a misconfigured IdP can impersonate any local MISP user that has no sub value bound to their account, resulting in full account takeover.
Affected Products
- MISP (Malware Information Sharing Platform) deployments using the OIDC authentication plugin
- Installations where local accounts exist without a stored sub value (pre-migration or mixed authentication setups)
- Configurations integrating with IdPs that do not enforce email ownership or do not issue email_verified
Discovery Timeline
- 2026-05-20 - CVE-2026-9084 published to the National Vulnerability Database (NVD)
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-9084
Vulnerability Analysis
The vulnerability resides in the MISP OIDC authentication component at app/Plugin/OidcAuth/Lib/Oidc.php. When an OIDC login attempt could not locate a user by the token's sub claim, the code fell back to searching by the email claim. If a matching local user existed and that user's stored sub was NULL, the plugin completed authentication and bound the incoming OIDC identity to that account.
This fallback path treated the email claim as authoritative proof of identity. In deployments using IdPs that allow users to set arbitrary email addresses on their profile, or that do not issue an email_verified claim, a token holder could log in as any local MISP user sharing that email. The original code only blocked the login when sub was non-null and mismatched, leaving the NULL sub case fully exploitable.
Root Cause
The root cause is reliance on an unverified, attacker-controllable claim for identity binding. The authentication logic assumed that any IdP-issued token containing an email claim represented a legitimate owner of that email address. No verification of the email_verified claim was performed, and no operator opt-in was required to enable cross-identity linking.
Attack Vector
An attacker requires a valid token from the configured OIDC IdP and knowledge of a target MISP user's email address. The attacker registers or modifies an IdP account so that its email claim matches the target's MISP email. Upon authenticating to MISP, the plugin fails to find the attacker's sub, falls back to email lookup, finds the victim's local account with NULL sub, and grants access as that user.
// Source: https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172
// Patch in app/Plugin/OidcAuth/Lib/Oidc.php — adds gating around the email-based linking path
if (!$user) { // User by sub not found, try to find by email
$user = $this->_findUser($settings, ['User.email' => $mispUsername]);
if ($user) {
if ($user['sub'] !== null && $user['sub'] !== $sub) {
$this->log($mispUsername, "User sub doesn't match ({$user['sub']} != $sub), could not login.", LOG_ERR);
return false;
}
if ($user['sub'] === null) {
$allowLink = (bool)$this->getConfig('allow_email_linking', false, false);
$requireVerified = (bool)$this->getConfig('require_email_verified', true, false);
$rawEmailVerified = $claims->email_verified ?? null;
$isVerified = ($rawEmailVerified === true || $rawEmailVerified === 'true');
if (!$allowLink || ($requireVerified && !$isVerified)) {
$this->log(
$mispUsername,
"Refusing to link OIDC identity to existing user with NULL sub " .
"(allow_email_linking=" . var_export($allowLink, true) .
", require_email_verified=" . var_export($requireVerified, true) .
", email_verified=" . var_export($rawEmailVerified, true) . ").",
LOG_ERR
);
return false;
}
}
}
}
The patch introduces two new configuration flags, OidcAuth.allow_email_linking (default false) and OidcAuth.require_email_verified (default true), and refuses to link an OIDC identity to a local user with NULL sub unless both conditions explicitly permit it. See the MISP security commit for the full patch.
Detection Methods for CVE-2026-9084
Indicators of Compromise
- MISP application logs showing successful OIDC logins where the resolved user's prior sub value was NULL and is suddenly populated with a new subject identifier.
- IdP authentication events where multiple distinct accounts share or change to the same email claim shortly before logging into MISP.
- Unexpected administrative actions, API key generation, or data exfiltration performed by accounts that historically used only local authentication.
Detection Strategies
- Audit the MISP users table for accounts with sub IS NULL and correlate against recent OIDC login events to identify any newly bound identities.
- Parse MISP error logs for the patched warning string Refusing to link OIDC identity to existing user with NULL sub to detect post-patch attempts that may indicate ongoing probing.
- Compare IdP-side email change history against MISP login events to detect attackers manipulating the email claim to match a target.
Monitoring Recommendations
- Forward MISP authentication logs and IdP audit logs to a central SIEM and alert on sub field changes for existing user records.
- Monitor for first-time OIDC logins by users who previously authenticated only via local credentials, especially privileged accounts.
- Track failed-then-successful login sequences from new client IPs targeting administrator or org-admin MISP accounts.
How to Mitigate CVE-2026-9084
Immediate Actions Required
- Update MISP to a version containing commit 71f5662c1b5886613d2cd5c72fd93bb4ca6fa172 in the OIDC authentication plugin.
- Inventory all local MISP accounts where sub IS NULL and either bind them to a verified OIDC subject manually or disable the accounts until migration is complete.
- Confirm the configured IdP enforces email ownership and issues a reliable email_verified claim before enabling any linking behavior.
- Rotate API keys and force password resets for any accounts suspected of having been accessed via the email-linking path.
Patch Information
The fix is delivered in MISP commit 71f5662c1b5886613d2cd5c72fd93bb4ca6fa172. It modifies app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php and app/Plugin/OidcAuth/Lib/Oidc.php to require explicit operator opt-in via OidcAuth.allow_email_linking and to enforce email_verified by default through OidcAuth.require_email_verified.
Workarounds
- Leave OidcAuth.allow_email_linking set to its default of false and do not enable email-based account linking unless the IdP is fully trusted to assert email ownership.
- Keep OidcAuth.require_email_verified set to true so that linking, when enabled, requires the token's email_verified claim to be true.
- Pre-populate the sub column for all existing local users via an out-of-band migration so that the vulnerable fallback path is never reached.
# Configuration example: enforce safe defaults in MISP config.php
# Refuse silent linking; require verified email when linking is ever enabled.
'OidcAuth' => [
'allow_email_linking' => false, // default; do not enable on untrusted IdPs
'require_email_verified' => true, // default; require email_verified=true from token
],
# Identify local accounts vulnerable to the email-linking path
mysql -e "SELECT id, email FROM users WHERE sub IS NULL;" misp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
