CVE-2026-9136 Overview
CVE-2026-9136 is an Insecure Direct Object Reference [CWE-639] vulnerability in the Malware Information Sharing Platform (MISP) ShadowAttribute proposal creation workflow. The add action accepts user-controlled request data without stripping the id field before saving the record. The underlying framework treats a supplied primary key as an update instruction, so an authenticated user submitting a proposal can overwrite an existing ShadowAttribute record. This breaks the intended boundary between creating new proposals and modifying existing ones across event contexts. The issue is fixed in MISP 2.5.38.
Critical Impact
Authenticated users can modify shadow attribute proposals tied to events they should not be able to alter, and may expose or move proposal data across event contexts.
Affected Products
- MISP (Malware Information Sharing Platform) versions prior to 2.5.38
- ShadowAttribute proposal workflow within MISP
- Deployments exposing the proposal add API endpoint to authenticated users
Discovery Timeline
- 2026-05-20 - CVE-2026-9136 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-9136
Vulnerability Analysis
The vulnerability lives in the ShadowAttribute proposal creation logic in MISP. When a client submits a proposal, the controller passes the entire request body to the persistence layer without removing the id field. CakePHP-style ORM behavior interprets a populated primary key as an update directive rather than an insert. As a result, the add endpoint silently transforms into an update endpoint when the attacker supplies an id value.
An authenticated user with permission to submit proposals can target any existing ShadowAttribute record by guessing or enumerating its identifier. The update can rewrite proposal content and, depending on how relational fields are handled, shift the proposal between event contexts. This breaks the trust model that keeps proposals scoped to events a user is authorized to view or comment on.
Root Cause
The root cause is trust in a client-supplied primary key during object creation. The controller did not sanitize the incoming ShadowAttribute payload to remove the id field before invoking the save operation. The fix removes the id field from inbound data so the endpoint always creates a new record. See the MISP commit 49911b1 for the patch.
Attack Vector
Exploitation requires network access to the MISP API and a valid account with proposal submission rights. The attacker issues a POST request to the ShadowAttribute add endpoint and includes an id parameter referencing a target proposal. The server processes the request as an update, overwriting the target record with attacker-controlled values. No user interaction or elevated privileges beyond a basic authenticated role are required.
No verified public proof-of-concept code is available. Refer to the MISP commit for the precise data flow and the corrective change.
Detection Methods for CVE-2026-9136
Indicators of Compromise
- POST requests to the ShadowAttribute add endpoint that contain an id field in the request body.
- ShadowAttribute records with modified timestamps that diverge from their created timestamps without a corresponding edit action in audit logs.
- Proposals whose event_id or attribute_id references events the submitting user lacks permission to view.
Detection Strategies
- Inspect MISP application logs and reverse proxy access logs for proposal creation requests containing primary key parameters.
- Compare proposal author identities against the owning event's authorized contributor list to surface cross-context modifications.
- Run database queries that flag ShadowAttribute rows updated by users outside the parent event's organization scope.
Monitoring Recommendations
- Forward MISP audit logs and API access logs to a centralized analytics platform for retrospective queries.
- Alert on bulk enumeration patterns against the ShadowAttribute API such as sequential id values in successive requests.
- Track baseline rates of proposal creation per user and trigger review when modification volume exceeds expected thresholds.
How to Mitigate CVE-2026-9136
Immediate Actions Required
- Upgrade MISP to version 2.5.38 or later, which removes the id field from incoming ShadowAttribute payloads.
- Audit historical proposal data for unauthorized modifications by correlating ShadowAttribute updates with submitter permissions.
- Review and tighten role assignments so only required accounts retain proposal submission rights.
Patch Information
The fix is included in MISP 2.5.38. The patch strips the id field from inbound ShadowAttribute request data before the save call, ensuring the add action only creates new records. The change is published in MISP commit 49911b1d4b6e4517d803e50e3d980aaa4d37c16d.
Workarounds
- Restrict access to the ShadowAttribute proposal API to trusted user groups until patching is complete.
- Add a reverse proxy or web application firewall rule that rejects requests to the proposal add endpoint when the body contains an id field.
- Increase audit logging verbosity for proposal creation events to enable rapid forensic review.
# Example WAF rule snippet to block id field in ShadowAttribute proposal add requests
SecRule REQUEST_URI "@contains /shadow_attributes/add" \
"chain,phase:2,deny,status:400,id:1009136,msg:'Block client-supplied id in ShadowAttribute add'"
SecRule REQUEST_BODY "@rx \"id\"\s*:\s*\"?\d+" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
