CVE-2026-56423
Received Received - Intake
Broken Access Control in MISP Core Bulk Deletion

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For Event Reports, EventReportsController::deleteSelection relied on the global perm_add capability rather than a per-report ownership/authorization check. As a result, a contributor-level user could submit report IDs or UUIDs for reports belonging to other organisations and hard-delete them instance-wide. The fix changed the callback to call EventReport::fetchIfAuthorized($user, $itemId, 'delete') for each selected report before deletion. For Sharing Groups, SharingGroupsController::deleteSelection relied on the global perm_sharing_group capability rather than verifying ownership of each selected sharing group. This allowed a sharing-group-capable user to hard-delete sharing groups owned by other organisations, bypassing the per-object ownership gate used by the single-object delete action. The fix changed the callback to call SharingGroup::checkIfOwner($user, $itemId) for each selected sharing group. An authenticated attacker with the relevant broad role permission could abuse the affected bulk deletion endpoints to delete objects outside their organisation’s authorization scope, causing loss of event-report content or sharing-group configuration across the instance.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-56423
EUVD
EUVD-2026-38226
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in MISP Core involves broken access-control checks in the bulk deletion processes for Event Reports and Sharing Groups.

For Event Reports, the deletion function used a broad global permission (perm_add) instead of verifying if the user was authorized to delete each specific report. This meant that a contributor-level user could delete reports belonging to other organizations.

For Sharing Groups, the bulk deletion function relied on a global sharing group permission rather than checking ownership of each sharing group. This allowed users with sharing group permissions to delete sharing groups owned by other organizations.

The vulnerability allowed authenticated users with certain broad permissions to delete objects outside their authorized scope, potentially causing loss of data across the instance.

Impact Analysis

This vulnerability can lead to unauthorized deletion of event reports and sharing groups that belong to other organizations within the MISP instance.

An attacker with contributor-level or sharing group permissions could abuse the bulk deletion endpoints to cause loss of important event-report content or sharing-group configurations across the entire instance.

This could disrupt collaboration, data integrity, and availability of shared threat intelligence information.

Mitigation Strategies

To mitigate this vulnerability, ensure that your MISP instance is updated with the patches that fix the broken access control in bulk deletion flows.

  • For Event Reports, apply the fix that changes the deleteSelection handler to call EventReport::fetchIfAuthorized for each report, ensuring only authorized users can delete reports.
  • For Sharing Groups, apply the fix that modifies the deleteSelection handler to call SharingGroup::checkIfOwner for each sharing group, enforcing ownership checks before deletion.

These fixes align bulk deletion authorization with the stricter single deletion controls, preventing users with broad role permissions from deleting objects outside their organization.

Compliance Impact

This vulnerability allows authenticated users with broad role permissions to delete event reports and sharing groups belonging to other organizations without proper authorization checks.

Such unauthorized deletions can lead to loss of sensitive data and breach of data integrity, which may violate compliance requirements under regulations like GDPR and HIPAA that mandate strict access controls and data protection.

By enabling cross-organization data deletion, the vulnerability undermines the principle of data segregation and accountability, potentially exposing organizations to regulatory penalties.

Detection Guidance

This vulnerability involves broken access control in bulk deletion endpoints of MISP, allowing users with broad permissions to delete event reports or sharing groups outside their authorization scope.

To detect exploitation attempts on your system, you should monitor logs for bulk deletion requests to the EventReportsController::deleteSelection and SharingGroupsController::deleteSelection endpoints.

Specifically, look for authenticated users with contributor-level or sharing-group permissions performing bulk deletions of reports or sharing groups that do not belong to their organization.

Suggested commands to help detect suspicious activity include:

  • Using grep or similar tools to search web server or application logs for bulk deletion API calls, e.g., `grep 'deleteSelection' /var/log/misp/application.log`
  • Filtering logs for user IDs or roles with `perm_add` or sharing group permissions performing deletions on objects outside their organization.
  • Using database queries to audit recent deletions and verify if deleted event reports or sharing groups belonged to the deleting user's organization.

Since the vulnerability is related to authorization checks in the application logic, network-level detection commands are limited; focus on application logs and audit trails.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56423. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart