Executive Summary

CVE-2026-56424 is a broken access-control vulnerability in the MISP platform where authorization checks were incorrectly performed against wrong entities or missing on write operations. This flaw allowed lower-privileged authenticated users with certain feature permissions to modify or delete data objects belonging to other organizations without proper authorization.

• Event Reports tag removal could be exploited to remove tags from reports of other organizations.
• Collection Elements bulk deletion allowed deletion of elements from collections the user did not own.
• Analyst Data capture/update permitted overwriting analyst data records across organizations without ownership checks.
• Template Elements editing allowed unauthorized edits to template elements of other organizations.
• Decaying Model editing and mappings enabled users to edit or remap models owned by other organizations without proper edit ownership verification.

Successful exploitation results in unauthorized cross-organization modifications or deletions of MISP data, causing integrity loss, tampering with shared intelligence, and disruption of analyst workflows.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized users within your organization to modify or delete sensitive threat intelligence data belonging to other organizations. This can lead to data integrity loss, unauthorized tampering with shared intelligence, and disruption of critical analyst workflows.

Specifically, attackers could:

• Remove tags from event reports they should not have access to.
• Delete collection elements from collections they do not own.
• Overwrite analyst data records owned by other organizations.
• Edit template elements and decaying models belonging to other organizations.

These unauthorized actions can compromise the reliability and trustworthiness of shared threat intelligence data.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate CVE-2026-56424, you should update your MISP installation to include the security patches that fix broken access control issues in multiple subsystems.

• Apply the patch that enforces the canEditAnalystData permission check on analyst data updates to prevent unauthorized overwrites (Resource 1).
• Ensure the DecayingModel subsystem performs proper ownership verification by adding isEditableByCurrentUser checks before allowing edits or mappings (Resource 2).
• Update the EventReports tag removal functionality to verify that tag removal targets the authorized report, preventing cross-organization tag removal (Resource 3).
• Fix TemplateElements editing authorization to check against the parent Template's ID rather than the element's own ID, preventing unauthorized edits (Resource 4).
• Correct the CollectionElements bulk deletion authorization to verify permissions against the actual parent collection ID, preventing unauthorized deletions (Resource 5).

Additionally, review and restrict user permissions to minimize the risk of exploitation by lower-privileged users with relevant feature permissions.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in MISP allows unauthorized cross-organization modifications and deletions of sensitive threat intelligence data by lower-privileged authenticated users. This results in integrity loss and unauthorized tampering with shared intelligence, which can disrupt analyst workflows and compromise data accuracy.

Such unauthorized data modifications and integrity issues could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require maintaining data integrity, confidentiality, and proper access controls to protect sensitive information.

Specifically, the broken access control flaws could lead to unauthorized data changes across organizational boundaries, potentially violating principles of least privilege and data ownership that are critical for regulatory compliance.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves broken access control flaws in MISP where authorization checks are performed against incorrect entities or missing ownership checks, allowing unauthorized cross-organization modifications. Detection would involve monitoring for unusual or unauthorized modifications or deletions in MISP subsystems such as Event Reports tag removal, Collection Elements bulk deletion, Analyst Data updates, Template Elements editing, and Decaying Model editing.

Since the vulnerability requires authenticated users with specific permissions to exploit, detection can focus on auditing user actions and verifying that write operations are authorized correctly.

Suggested commands or approaches to detect exploitation attempts include:

• Review MISP application logs for unexpected tag removals on event reports where the tag removal target differs from the authorized report.
• Audit bulk deletion requests on Collection Elements to verify that the collection IDs match the elements' parent collections.
• Monitor updates to analyst data records for changes where the ownership or edit permissions are bypassed, especially updates with future timestamps or nested child records.
• Check Template Elements edits to ensure authorization is performed against the parent template ID, not the element ID.
• Inspect Decaying Model edits and mappings to confirm that only models editable by the current user are modified.

Specific commands depend on your logging and monitoring setup. For example, if you have access to MISP logs or database audit logs, you could run queries or grep commands to find suspicious activity patterns such as:

• grep or search logs for 'removeTag' operations where the route UUID and request body ID differ.
• Query database audit tables for bulk deletions where collection-element IDs do not match expected parent collections.
• Search for analyst data updates with future 'modified' timestamps or ownership changes.
• Audit TemplateElements edits for authorization mismatches.
• Monitor DecayingModel edits for unauthorized changes by users without proper ownership.

Useful 0 Not Useful 0