CVE-2026-54359
Received Received - Intake
Cross-Site Request Forgery in MISP Automation Endpoints

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote unauthenticated attacker could craft a malicious web page that causes an authenticated MISP user’s browser to issue cross-site requests to MISP automation endpoints. If successful, the forged requests may be processed with the privileges of the victim user, potentially allowing unauthorized modification of MISP data or configuration. Enabling Security.check_sec_fetch_site_header mitigates this issue, although operators of multi-homed MISP deployments should validate the setting before enforcing it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-54359
EUVD
EUVD-2026-36551
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists because MISP has an insecure default configuration where the Security.check_sec_fetch_site_header control is disabled.

When this setting is disabled, state-changing requests like POST, PUT, or AJAX are not restricted based on the browser's Sec-Fetch-Site header.

A remote unauthenticated attacker can exploit this by crafting a malicious web page that causes an authenticated MISP user's browser to send cross-site requests to MISP automation endpoints.

If successful, these forged requests may be processed with the victim user's privileges, potentially allowing unauthorized modification of MISP data or configuration.

Enabling the Security.check_sec_fetch_site_header setting mitigates this issue, although multi-homed MISP deployments should validate this setting before enforcing it.

Compliance Impact

The provided information does not explicitly address how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can allow a remote attacker to perform unauthorized actions on behalf of an authenticated MISP user.

Specifically, the attacker can cause the victim's browser to send forged cross-site requests to MISP automation endpoints, which may be processed with the victim's privileges.

As a result, unauthorized modification of MISP data or configuration could occur, potentially compromising the integrity and security of the MISP instance.

Detection Guidance

This vulnerability can be detected by checking whether the Security.check_sec_fetch_site_header setting is disabled in your MISP instance configuration. If this setting is disabled, your system is vulnerable to cross-site request forgery attacks via automation endpoints.

Administrators can look for warnings related to the Sec-Fetch-Site header in the MISP platform logs or configuration interface, as recent updates introduce alerts when this setting is disabled.

While no specific commands are provided, you can inspect the MISP configuration files or use commands to search for the setting, for example:

  • grep -r 'check_sec_fetch_site_header' /path/to/misp/config/
  • Check MISP logs for warnings about Sec-Fetch-Site header settings.
Mitigation Strategies

The immediate mitigation step is to enable the Security.check_sec_fetch_site_header setting in your MISP configuration. This setting restricts state-changing requests based on the browser-provided Sec-Fetch-Site header, preventing unauthorized cross-site requests.

Operators of multi-homed MISP deployments should validate this setting carefully before enforcing it, as enabling it may interfere with instances hosted across multiple addresses.

Enabling this setting will help protect against CSRF attacks targeting MISP automation endpoints.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54359. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart