CVE-2026-54360
Deferred Deferred - Pending Action

Mass Assignment in MISP Sharing Groups

Vulnerability report for CVE-2026-54360, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one. An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups. Affected component: app/Controller/SharingGroupsController.php, add() action

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
misp misp *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves an authenticated user submitting an 'id' field during the creation of a sharing group in MISP, which can cause unauthorized modification of existing sharing groups. Detection would involve monitoring or inspecting requests to the sharing group creation endpoint for the presence of an unexpected 'id' parameter in the submitted data.

To detect attempts to exploit this vulnerability, you can analyze web server logs or use network monitoring tools to look for POST requests to the sharing group creation endpoint that include an 'id' field in the payload.

Example commands to detect such requests might include:

  • Using grep on web server logs to find POST requests with 'id' in the payload: grep -i 'POST' /var/log/apache2/access.log | grep 'sharing_groups' | grep 'id='
  • Using tcpdump or tshark to capture HTTP POST requests and filter for 'id' in the data: tshark -Y 'http.request.method == "POST" && http.file_data contains "id="' -T fields -e ip.src -e http.file_data
  • If you have access to the application logs or can enable debug logging, look for creation requests that include an 'id' field in the submitted data.

Note that detection requires authentication context since only authenticated users with permission to add sharing groups can exploit this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, ensure that the 'id' field is explicitly removed or unset from user-supplied data when creating new sharing groups in MISP.

This prevents the create() method from updating existing sharing groups and enforces proper access control.

Applying the fix from the referenced commit, which unsets the 'id' field before processing sharing group creation, is recommended.

Executive Summary

This vulnerability is a mass assignment issue in MISP's sharing group creation endpoint. When a new sharing group is created, the system did not remove a user-supplied 'id' field before saving the data. Because of how CakePHP handles save operations, providing a primary key in the input can cause the system to update an existing sharing group instead of creating a new one.

An authenticated user with permission to add sharing groups could exploit this by submitting the identifier of an existing sharing group, thereby modifying that group without passing the usual edit access-control checks.

Impact Analysis

This vulnerability can allow an attacker to take over or alter sharing groups they do not have permission to edit. This unauthorized modification can compromise the confidentiality and integrity of the information shared within those groups.

Compliance Impact

This vulnerability allows an authenticated user with permission to add sharing groups to modify existing sharing groups without proper edit access-control checks. This can lead to unauthorized alteration or takeover of sharing groups, potentially compromising the confidentiality and integrity of information shared through those groups.

Such unauthorized access and modification of sensitive information could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality and integrity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54360. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart