CVE-2026-9084
OIDC Identity Linking Flaw in MISP Allows Account Takeover
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| misp | misp | to 2026-08-01 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in MISP's OIDC authentication plugin, where it allowed automatic linking of an OIDC identity to an existing local user account based solely on the email claim if the local account had no stored sub value.
Under insecure or untrusted Identity Provider (IdP) configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user.
This leads to an account takeover vulnerability because the system incorrectly trusts the email claim without verifying ownership.
A security fix introduced configuration options to require email verification and control email linking to prevent unauthorized account linking.
How can this vulnerability impact me? :
This vulnerability can lead to an attacker taking over existing user accounts by exploiting the automatic linking of OIDC identities based on unverified email claims.
If your MISP instance uses insecure or untrusted Identity Providers that do not enforce email ownership, an attacker with a valid OIDC token could impersonate legitimate users.
Such account takeover can result in unauthorized access to sensitive information, manipulation of data, and potential disruption of services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the MISP platform to include the security fix that introduces two new configuration options: "allow_email_linking" and "require_email_verified".
- Ensure "allow_email_linking" is disabled (default setting) to prevent automatic linking of OIDC identities based on email claims.
- Make sure "require_email_verified" is enabled (default setting) so that the system requires the email_verified claim to be true before linking accounts.
Review your Identity Provider (IdP) configurations to ensure they are secure and enforce email ownership properly, avoiding insecure or untrusted setups that could allow attackers to assert victim email addresses.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in MISP’s OIDC authentication plugin allows an attacker to take over user accounts by asserting a victim’s email address when email ownership is not enforced by the Identity Provider (IdP). This unauthorized account takeover can lead to unauthorized access to sensitive personal or protected health information.
Such unauthorized access poses risks to compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on user authentication and protection of personal data. If an attacker can impersonate a user, it may result in data breaches or unauthorized data processing, violating these regulations.
The security fix introduces configuration options to require verified email claims and restrict automatic email-based account linking, helping to mitigate the risk and support compliance by ensuring stronger authentication controls.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the MISP OIDC authentication plugin is configured to allow automatic linking of OIDC identities to local user accounts based solely on the email claim without verifying the email ownership.
Specifically, you should verify whether the configuration options "allow_email_linking" and "require_email_verified" are set correctly. "allow_email_linking" should be disabled (default), and "require_email_verified" should be enabled to prevent unauthorized account linking.
To detect potential exploitation attempts on your system, you can monitor authentication logs for OIDC login attempts where the email claim is used to link accounts without a verified email. Look for unusual or unexpected login events where the email_verified claim is missing or false.
While no specific commands are provided in the resources, you can use general log inspection commands such as:
- grep or tail commands on MISP authentication logs to find OIDC login attempts, e.g., `grep 'OIDC' /var/log/misp/auth.log`
- Use tools like `journalctl` if MISP logs to systemd journal, e.g., `journalctl -u misp.service | grep OIDC`
- Check configuration files for the OIDC plugin settings, e.g., `grep -E 'allow_email_linking|required_email_verified' /path/to/misp/config`