CVE-2026-54362
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
A flaw in the visibility conditions in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The use of a PHP comparison expression instead of a query condition resulted in enabled galaxies, including organisation-only custom galaxies, being exposed.
Risk Assessment
Organizations may be at risk of disclosing metadata about private galaxy definitions, potentially leading to unauthorized access to sensitive information.
Recommendation
It is recommended to review and improve access control conditions in the template builder to ensure that only authorized users can access the appropriate galaxies.
Original NVD description (English source)
An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users.

