CVE-2026-9084
Awaiting Analysis Awaiting Analysis - Queue
OIDC Identity Linking Flaw in MISP Allows Account Takeover

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-9084
EUVD
EUVD-2026-31123
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp to 2026-08-01 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in MISP's OIDC authentication plugin, where it allowed automatic linking of an OIDC identity to an existing local user account based solely on the email claim if the local account had no stored sub value.

Under insecure or untrusted Identity Provider (IdP) configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user.

This leads to an account takeover vulnerability because the system incorrectly trusts the email claim without verifying ownership.

A security fix introduced configuration options to require email verification and control email linking to prevent unauthorized account linking.

Impact Analysis

This vulnerability can lead to an attacker taking over existing user accounts by exploiting the automatic linking of OIDC identities based on unverified email claims.

If your MISP instance uses insecure or untrusted Identity Providers that do not enforce email ownership, an attacker with a valid OIDC token could impersonate legitimate users.

Such account takeover can result in unauthorized access to sensitive information, manipulation of data, and potential disruption of services.

Mitigation Strategies

To mitigate this vulnerability, update the MISP platform to include the security fix that introduces two new configuration options: "allow_email_linking" and "require_email_verified".

  • Ensure "allow_email_linking" is disabled (default setting) to prevent automatic linking of OIDC identities based on email claims.
  • Make sure "require_email_verified" is enabled (default setting) so that the system requires the email_verified claim to be true before linking accounts.

Review your Identity Provider (IdP) configurations to ensure they are secure and enforce email ownership properly, avoiding insecure or untrusted setups that could allow attackers to assert victim email addresses.

Compliance Impact

The vulnerability in MISP’s OIDC authentication plugin allows an attacker to take over user accounts by asserting a victim’s email address when email ownership is not enforced by the Identity Provider (IdP). This unauthorized account takeover can lead to unauthorized access to sensitive personal or protected health information.

Such unauthorized access poses risks to compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on user authentication and protection of personal data. If an attacker can impersonate a user, it may result in data breaches or unauthorized data processing, violating these regulations.

The security fix introduces configuration options to require verified email claims and restrict automatic email-based account linking, helping to mitigate the risk and support compliance by ensuring stronger authentication controls.

Detection Guidance

Detection of this vulnerability involves checking if the MISP OIDC authentication plugin is configured to allow automatic linking of OIDC identities to local user accounts based solely on the email claim without verifying the email ownership.

Specifically, you should verify whether the configuration options "allow_email_linking" and "require_email_verified" are set correctly. "allow_email_linking" should be disabled (default), and "require_email_verified" should be enabled to prevent unauthorized account linking.

To detect potential exploitation attempts on your system, you can monitor authentication logs for OIDC login attempts where the email claim is used to link accounts without a verified email. Look for unusual or unexpected login events where the email_verified claim is missing or false.

While no specific commands are provided in the resources, you can use general log inspection commands such as:

  • grep or tail commands on MISP authentication logs to find OIDC login attempts, e.g., `grep 'OIDC' /var/log/misp/auth.log`
  • Use tools like `journalctl` if MISP logs to systemd journal, e.g., `journalctl -u misp.service | grep OIDC`
  • Check configuration files for the OIDC plugin settings, e.g., `grep -E 'allow_email_linking|required_email_verified' /path/to/misp/config`
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9084. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart