CVE-2026-54361
Received Received - Intake
Mass Assignment in MISP Threat Intelligence Platform

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-related fields such as id, org_id, orgc_id, and user_id. An authenticated attacker with access to the affected endpoints could craft requests containing protected fields in order to alter object ownership, redirect an update to another record, overwrite existing event delegation requests, or modify shadow attribute proposals belonging to another organization. This could result in unauthorized modification of MISP objects and, depending on object visibility and sharing configuration, unauthorized access to or transfer of sensitive threat intelligence data. The issue was fixed by explicitly pinning ownership and identity fields to their stored values during edit operations and by removing user-supplied primary keys from create-only save paths. Affected components: * CollectionsController::edit() * EventDelegationsController::delegateEvent() * ShadowAttributesController::edit() * TagCollectionsController::edit()915 * TagCollectionsController::editWithTags() Attack requirements: The attacker must be authenticated and able to reach the affected MISP endpoints. No user interaction is required.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-54361
EUVD
EUVD-2026-36554
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves multiple mass assignment issues in the MISP software, where certain controller actions improperly accepted user-supplied fields that should have been controlled only by the server. These fields include record identifiers and ownership-related fields such as id, org_id, orgc_id, and user_id.

An authenticated attacker could exploit this by crafting requests that include these protected fields, allowing them to alter object ownership, redirect updates to other records, overwrite event delegation requests, or modify shadow attribute proposals belonging to other organizations.

The vulnerability affects several components including CollectionsController::edit(), EventDelegationsController::delegateEvent(), ShadowAttributesController::edit(), and TagCollectionsController::edit() and editWithTags().

Impact Analysis

If exploited, this vulnerability can lead to unauthorized modification of MISP objects. Attackers could change ownership of objects, redirect updates to other records, overwrite event delegation requests, or modify shadow attribute proposals that belong to other organizations.

Depending on the visibility and sharing configuration of the objects, this could also result in unauthorized access to or transfer of sensitive threat intelligence data.

Detection Guidance

Detection of this vulnerability involves monitoring for unusual or unauthorized modifications to ownership-related fields such as id, org_id, orgc_id, and user_id in MISP collections, event delegations, shadow attributes, and tag collections.

Since the vulnerability requires authenticated access to affected endpoints, you can detect exploitation attempts by inspecting logs for requests to the following controller actions: CollectionsController::edit(), EventDelegationsController::delegateEvent(), ShadowAttributesController::edit(), TagCollectionsController::edit(), and TagCollectionsController::editWithTags() that include unexpected or protected fields.

Suggested commands to detect suspicious activity could include searching web server or application logs for requests containing these protected fields or unusual parameter values. For example, using grep on log files:

  • grep -iE 'id=|org_id=|orgc_id=|user_id=' /path/to/misp/logs/access.log
  • grep -i 'CollectionsController::edit' /path/to/misp/logs/access.log
  • grep -i 'EventDelegationsController::delegateEvent' /path/to/misp/logs/access.log
  • grep -i 'ShadowAttributesController::edit' /path/to/misp/logs/access.log
  • grep -i 'TagCollectionsController::edit' /path/to/misp/logs/access.log

Additionally, monitoring for unexpected changes in ownership or delegation records within the MISP database could help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include applying the security fix that explicitly pins ownership and identity fields to their stored values during edit operations and removes user-supplied primary keys from create-only save paths.

Specifically, update the MISP installation to include the patch that modifies the following controllers to prevent unauthorized modifications:

  • CollectionsController.php - forcibly reset 'id', 'orgc_id', 'org_id', and 'user_id' to original values during edits.
  • EventDelegationsController.php - unset the 'id' field in request data to prevent unauthorized delegation updates.
  • ShadowAttributesController.php - unset the 'id' field to prevent unauthorized edits to shadow attribute proposals.
  • TagCollectionsController.php - pin 'org_id' and 'user_id' to stored values during edits to prevent ownership transfer.

Until the patch is applied, restrict authenticated user access to the affected endpoints and monitor for suspicious activity as a temporary control.

Compliance Impact

This vulnerability allows an authenticated attacker to modify ownership and identity fields in MISP objects, potentially leading to unauthorized access to or transfer of sensitive threat intelligence data.

Such unauthorized modifications and data access could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data access, integrity, and confidentiality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54361. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart