CVE-2026-54398
Received Received - Intake
Authorization Bypass in MISP Object Sharing Groups

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use. An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-54398
EUVD
EUVD-2026-36603
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authorization flaw in MISP's object add/edit handling. It allows an authenticated user who has permissions to edit objects to assign a MISP object or its contained attributes to a sharing group that the user is not authorized to access or view.

The flaw occurs because the sharing group validation is performed against the wrong data structure after object fields have been merged to the top level, which causes the validation check to be bypassed. Additionally, attributes embedded within objects are not individually validated for authorized sharing group use.

An attacker could exploit this by crafting a request with a specific distribution setting and an arbitrary sharing group ID, potentially revealing the existence or name of sharing groups that should be hidden and improperly modifying the distribution metadata of objects or their attributes.

Impact Analysis

This vulnerability can impact you by allowing unauthorized disclosure of information about sharing groups that you are not permitted to see.

It also allows unauthorized modification of the distribution metadata of MISP objects or their contained attributes, which could lead to improper sharing or exposure of sensitive threat intelligence data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54398. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart