CVE-2026-9137 Overview
CVE-2026-9137 affects the Content Security Policy (CSP) report endpoint in MISP, the open-source threat intelligence platform. The endpoint was designed to truncate logged CSP reports at 1 kilobyte (KB). Due to an incorrect size comparison, the code allowed reports up to 1 megabyte (MB) before truncation, a 1024x discrepancy between intended and actual behavior.
Where the endpoint is exposed to untrusted clients, attackers can submit oversized CSP reports to inflate log volume. Repeated submissions contribute to resource exhaustion or log flooding on the host. The flaw maps to [CWE-400] Uncontrolled Resource Consumption.
Critical Impact
Unauthenticated attackers can submit large CSP reports against a network-reachable MISP instance to drive log growth and degrade availability.
Affected Products
- MISP (Malware Information Sharing Platform) instances containing the unpatched ServersController CSP report handler
- Deployments exposing the CSP report endpoint to untrusted networks
- MISP installations prior to the fix commit 02932cc
Discovery Timeline
- 2026-05-20 - CVE-2026-9137 published to the National Vulnerability Database (NVD)
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-9137
Vulnerability Analysis
The defect resides in app/Controller/ServersController.php, which handles inbound CSP violation reports. The handler JSON-encodes the csp-report payload and writes the result to the application log. Before logging, the controller checks the encoded report length and truncates oversized content.
The size comparison used the expression 1024 * 1024, which evaluates to 1,048,576 bytes (1 MB) instead of the intended 1024 bytes (1 KB). Any report below 1 MB was logged in full. Attackers can send near-1 MB CSP reports to amplify on-disk log writes by three orders of magnitude beyond what the developers intended.
Root Cause
The root cause is an input validation error in the truncation logic. The comment in the source code states the intent (limit report to 1 kB), but the implementation multiplies the kilobyte value by 1024 a second time. This mismatch between documented intent and runtime behavior leaves the truncation control effectively disabled for reports below 1 MB.
Attack Vector
The endpoint accepts CSP reports over the network without authentication. An attacker scripts repeated POST requests carrying maximum-size JSON payloads. Each request appends close to 1 MB to the application log file. Sustained submissions consume disk capacity, increase I/O pressure, and can disrupt log aggregation pipelines.
$message .= ' from IP ' . $remoteIp;
}
$report = JsonTool::encode($report['csp-report'], true);
- if (strlen($report) > 1024 * 1024) { // limit report to 1 kB
- $report = substr($report, 0, 1024 * 1024) . '...';
+ if (strlen($report) > 1024) { // limit report to 1 kB
+ $report = substr($report, 0, 1024) . '...';
}
$this->log("$message: $report");
Source: MISP commit 02932cc (patch)
Detection Methods for CVE-2026-9137
Indicators of Compromise
- High-volume POST requests to the MISP CSP report endpoint from a single source IP or a small set of IPs
- Application log entries containing CSP report payloads approaching 1 MB in size
- Rapid growth of MISP log files or log shipping queues without a corresponding increase in legitimate user activity
Detection Strategies
- Parse web server access logs for repeated POST requests to the CSP report URI with abnormally large Content-Length values
- Alert when the MISP application log file growth rate exceeds an established baseline
- Correlate spikes in log ingestion volume from MISP hosts with source IP reputation data
Monitoring Recommendations
- Monitor disk utilization and inode consumption on MISP application and log volumes
- Track request rate and payload size distribution at the reverse proxy or web application firewall (WAF) in front of MISP
- Forward MISP application logs to a centralized data lake and alert on sudden volume anomalies
How to Mitigate CVE-2026-9137
Immediate Actions Required
- Apply the upstream MISP patch from commit 02932cc that corrects the size comparison to 1024 bytes
- Restrict access to the CSP report endpoint so only trusted networks or authenticated sessions can reach it
- Rotate and archive existing MISP application logs to recover disk capacity if log flooding has already occurred
Patch Information
The fix is committed to the MISP repository in app/Controller/ServersController.php. The patch replaces 1024 * 1024 with 1024 in both the strlen check and the substr truncation call, enforcing the intended 1 KB limit. See the MISP security commit for the authoritative change.
Workarounds
- Place a reverse proxy or WAF in front of MISP and cap request body size on the CSP report path to 1 KB
- Apply rate limiting on the CSP report endpoint to constrain submissions per source IP
- Temporarily disable CSP violation reporting in the MISP configuration if logging is non-essential
# Example nginx limit for the CSP report endpoint
location /servers/cspReport {
client_max_body_size 1k;
limit_req zone=csp_zone burst=5 nodelay;
proxy_pass http://misp_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
