CVE-2026-54396
Deferred Deferred - Pending Action

Information Disclosure in MISP AuthKey Edit Functionality

Vulnerability report for CVE-2026-54396, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-01
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
misp misp *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an information disclosure issue in the MISP AuthKey edit functionality. When an authenticated user with permission to edit an AuthKey submits an edit request that causes a validation error, the system incorrectly uses the attacker-controlled user_id value from the request to populate a user dropdown. This allows the attacker to submit arbitrary user IDs and see the corresponding dropdown data, enabling them to enumerate user email addresses.

The root cause is that the dropdown user list is derived from the submitted request data instead of the persisted AuthKey owner. The issue is fixed by changing the dropdown to use the stored AuthKey owner information.

Impact Analysis

This vulnerability can impact you by allowing an authenticated user with edit permissions to enumerate user email addresses within the system. This information disclosure could be leveraged for further attacks such as phishing, social engineering, or targeted attacks against users.

Mitigation Strategies

To mitigate this vulnerability, ensure that the MISP AuthKey edit functionality is updated to the fixed version where the dropdown user is derived from the persisted AuthKey owner instead of the request body.

Additionally, restrict permissions so that only trusted authenticated users have the ability to edit AuthKeys, minimizing the risk of exploitation.

Compliance Impact

This vulnerability allows an authenticated user with permission to edit an AuthKey to enumerate user email addresses by submitting arbitrary user IDs and observing the returned dropdown data. Such unauthorized disclosure of user email addresses can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure.

Therefore, this information disclosure vulnerability could negatively impact compliance with standards and regulations that mandate strict controls on personal data confidentiality.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54396. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart