CVE-2026-54358
Deferred Deferred - Pending Action

Incorrect Authorization in MISP Allows Privilege Escalation

Vulnerability report for CVE-2026-54358, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description

An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own organization, but did not exclude accounts assigned a site administrator role from recipient queries. As a result, an organization administrator could perform privileged account-management actions, such as initiating a password reset workflow, against a higher-privileged site administrator account in the same organization. Successful exploitation may allow an authenticated organization administrator to interfere with or potentially take over a site administrator account, resulting in privilege escalation and full compromise of the MISP instance’s confidentiality, integrity, and availability. Attack prerequisites: The attacker must be authenticated as an organization administrator in the same organization as a site administrator account.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
misp misp *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an incorrect authorization issue in MISP that allows an organization administrator to target site administrator accounts within the same organization using the administrative email functionality.

Although the code restricted organization administrators to users within their own organization, it failed to exclude accounts with the site administrator role from recipient queries.

As a result, an organization administrator could perform privileged actions, such as initiating a password reset, on a higher-privileged site administrator account in the same organization.

Compliance Impact

This vulnerability allows an organization administrator to escalate privileges by targeting site administrator accounts within the same organization, potentially leading to full compromise of the MISP instance's confidentiality, integrity, and availability.

Such a compromise could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and administrative functions to protect personal and health information.

By enabling unauthorized privilege escalation and potential account takeover, the vulnerability increases the risk of unauthorized data access or modification, which could result in violations of these regulatory requirements.

Impact Analysis

If exploited successfully, an authenticated organization administrator could interfere with or potentially take over a site administrator account.

This leads to privilege escalation and full compromise of the MISP instance’s confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate this vulnerability, apply the patch that modifies the admin_email function in the UsersController.php file of MISP.

The patch prevents organization administrators from targeting site administrator accounts by excluding site admin roles from recipient queries during email reset operations.

This ensures that organization admins cannot perform privileged account-management actions, such as initiating password resets, against site admin accounts within the same organization.

Detection Guidance

This vulnerability involves an organization administrator being able to perform privileged actions on site administrator accounts within the same organization via the administrative email functionality in MISP.

To detect exploitation attempts on your system, you should monitor for unusual password reset or email change requests initiated by organization administrators targeting site administrator accounts.

Specifically, you can audit logs for calls to the `admin_email` function or related API endpoints that handle administrative email or password reset workflows.

Since the vulnerability requires authentication as an organization administrator, commands or queries to check for suspicious activity could include:

  • Review web server or application logs for POST requests to endpoints related to user email or password reset changes, filtering for requests made by organization administrators.
  • Use grep or similar tools to search logs for keywords like 'admin_email', 'password reset', or 'email change' associated with organization admin user IDs.
  • Example command to search logs (adjust paths and log formats accordingly): `grep -iE 'admin_email|password reset|email change' /var/log/misp/application.log | grep 'organization_admin_user_id'`
  • Monitor for any unexpected changes in site administrator account details, such as email addresses or password reset events initiated by organization administrators.

Implementing these monitoring steps can help detect attempts to exploit this vulnerability before the patch is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54358. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart