CVE-2026-54398
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
MISP has an authorization flaw in object add/edit handling that allows an authenticated user with object editing permissions to assign a MISP object or its attributes to a sharing group that the user is not authorized to use. The sharing group validation is performed against the wrong data structure, allowing the check to be bypassed.
Risk Assessment
An attacker could exploit this vulnerability to disclose the existence or name of otherwise non-visible sharing groups and improperly modify the distribution metadata of objects or their attributes. This could lead to unauthorized access to sensitive information.
Recommendation
It is recommended to review and improve the sharing group validation mechanisms in MISP to ensure that users cannot assign objects to groups they are not authorized to use. Additionally, an audit of user permissions and monitoring of any unauthorized changes should be conducted.
Original NVD description (English source)
An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use. An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.

