CVE-2026-56422
Received Received - Intake
Authentication Bypass in MISP Core Controllers

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object. In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context. The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit()Β primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220cΒ describes this central issue as CRUDComponent::edit()Β copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save()Β to update an arbitrary row unless the loaded ID is re-pinned.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-56422
EUVD
EUVD-2026-38225
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56422 is a mass assignment vulnerability in the MISP (Malware Information Sharing Platform) software. It occurs because multiple core controllers and model capture paths accepted client-controlled request fields such as primary keys and ownership or scope foreign keys without properly stripping, pinning, or revalidating them against server-authorized objects.

This flaw allows an authenticated user with access to one authorized object to craft REST or form payloads that cause MISP to save data against a different object than the one checked by authorization logic. This can lead to unauthorized overwrites, re-parenting, ownership transfers, sharing-group scoping bypasses, event or object injection, proposal retargeting, or stored attacker-controlled content appearing in another user's context.

The root cause is that the system trusted client-supplied IDs (like primary keys or foreign keys) in requests, which CakePHP then used to update arbitrary rows in the database. Fixes involved stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating sharing-group scope, and adding field whitelists to prevent editing of ownership fields.

Impact Analysis

This vulnerability can have severe impacts including unauthorized modification or overwriting of data objects within MISP that a user should not have access to.

  • An attacker can overwrite or re-parent objects, effectively transferring ownership or changing the scope of data without authorization.
  • It can allow injection of events or objects into contexts where the attacker has no permission, potentially corrupting data or misleading users.
  • Unauthorized sharing-group scoping can occur, allowing attackers to assign data to sharing groups they do not belong to, bypassing access controls.
  • Attackers with site-admin privileges can manipulate imports or server configurations, such as changing sync URLs or authentication keys, without proper authorization.
  • Stored attacker-controlled content may appear in other users' contexts, potentially leading to data leakage or trust violations.
Detection Guidance

The CVE-2026-56422 vulnerability involves mass assignment issues in the MISP platform where client-controlled fields such as primary keys and ownership/scope foreign keys are accepted without proper validation. Detection involves monitoring for unusual or unauthorized modifications to objects such as events, attributes, servers, taxonomies, workflows, proposals, and sharing groups that could indicate exploitation attempts.

Specifically, detection can focus on identifying crafted REST or form payloads that include unexpected or manipulated fields like 'id', 'event_id', 'org_id', 'user_id', 'sharing_group_id', or 'galaxy_cluster_uuid' that cause unauthorized overwrites, re-parenting, or ownership transfers.

While the provided resources do not include explicit detection commands, network or system administrators can monitor HTTP request logs for suspicious API calls to endpoints such as '/attributes/import', '/servers/add', '/taxonomies/import', '/shadowAttributes/add', '/workflow/add', '/templates/add', and others mentioned in the fixes. Look for requests containing unexpected primary key fields or ownership identifiers in the request body.

Additionally, monitoring audit logs for unexpected changes in event ownership, sharing groups, or attribute assignments can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps involve applying the security patches that address the mass assignment vulnerabilities in MISP. These patches harden the affected create/edit/import flows by:

  • Stripping client-supplied primary keys (such as 'id') on create-only saves to prevent unauthorized updates.
  • Re-pinning route- or database-authorized identifiers before save operations to ensure data is saved only to authorized objects.
  • Validating effective sharing-group scope and ownership fields to prevent unauthorized sharing-group assignments or ownership transfers.
  • Adding field whitelists where ownership fields must never be editable by clients.

Administrators should update their MISP installations to the fixed versions that include these patches, as described in the referenced commits. Until patches are applied, restrict access to MISP APIs and monitor for suspicious activity as a temporary measure.

Compliance Impact

The CVE-2026-56422 vulnerability in MISP involves mass assignment issues that allow authenticated users to manipulate data objects beyond their authorized scope. This can lead to unauthorized data overwrites, ownership transfers, event or object injections, and unauthorized sharing group re-scoping.

Such unauthorized data modifications and access control bypasses can undermine data integrity and confidentiality, which are critical requirements under common standards and regulations like GDPR and HIPAA. Specifically, the vulnerability could allow attackers to alter or expose sensitive information by injecting or overwriting data in objects they should not control.

Therefore, this vulnerability poses a risk to compliance with data protection regulations by potentially enabling unauthorized access, modification, or sharing of protected data, violating principles of data minimization, integrity, and access control.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56422. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart