CVE-2026-54360
Received Received - Intake
Mass Assignment in MISP Sharing Groups

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one. An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups. Affected component: app/Controller/SharingGroupsController.php, add() action
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-54360
EUVD
EUVD-2026-36552
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, ensure that the 'id' field is explicitly removed or unset from user-supplied data when creating new sharing groups in MISP.

This prevents the create() method from updating existing sharing groups and enforces proper access control.

Applying the fix from the referenced commit, which unsets the 'id' field before processing sharing group creation, is recommended.

Executive Summary

This vulnerability is a mass assignment issue in MISP's sharing group creation endpoint. When a new sharing group is created, the system did not remove a user-supplied 'id' field before saving the data. Because of how CakePHP handles save operations, providing a primary key in the input can cause the system to update an existing sharing group instead of creating a new one.

An authenticated user with permission to add sharing groups could exploit this by submitting the identifier of an existing sharing group, thereby modifying that group without passing the usual edit access-control checks.

Impact Analysis

This vulnerability can allow an attacker to take over or alter sharing groups they do not have permission to edit. This unauthorized modification can compromise the confidentiality and integrity of the information shared within those groups.

Compliance Impact

This vulnerability allows an authenticated user with permission to add sharing groups to modify existing sharing groups without proper edit access-control checks. This can lead to unauthorized alteration or takeover of sharing groups, potentially compromising the confidentiality and integrity of information shared through those groups.

Such unauthorized access and modification of sensitive information could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality and integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54360. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart