CVE-2026-56447
Undergoing Analysis Undergoing Analysis - In Progress

Arbitrary Code Execution in MISP via Malicious Kafka Configuration

Vulnerability report for CVE-2026-56447, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description

MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file. The issue is fixed by restricting the setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-12
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
misp-project misp to 2.5.42 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated site administrator to execute arbitrary code with the privileges of the MISP process by exploiting the ability to set Kafka configuration to arbitrary filesystem paths. Such arbitrary code execution risks unauthorized access, data manipulation, or data breaches.

Given that MISP is often used to handle sensitive threat intelligence data, exploitation of this vulnerability could lead to violations of data protection standards and regulations such as GDPR and HIPAA. Unauthorized code execution could compromise confidentiality, integrity, and availability of sensitive data, which are core requirements of these regulations.

Therefore, this vulnerability negatively impacts compliance by increasing the risk of data breaches and unauthorized access, potentially leading to regulatory penalties and loss of trust.

Detection Guidance

Detection of this vulnerability involves checking if the MISP instance allows an authenticated site administrator to set the Kafka_rdkafka_config setting to arbitrary filesystem paths, especially those writable by MISP such as uploaded files or administrative images.

One approach is to audit the configuration settings and verify that the Kafka_rdkafka_config is restricted to absolute .ini files located only in approved configuration directories outside the webroot and upload targets.

Since the vulnerability involves parsing attacker-controlled INI files that could load external libraries, you can look for suspicious INI files in writable directories or uploaded files that contain unusual rdkafka options like plugin.library.paths.

Commands to assist in detection might include:

  • Searching for Kafka_rdkafka_config settings in MISP configuration files or database entries.
  • Listing writable directories used by MISP for uploads or admin images: `ls -l /path/to/misp/uploads`
  • Finding .ini files in writable or upload directories: `find /path/to/misp/uploads -name '*.ini'`
  • Inspecting suspicious .ini files for rdkafka options that load external libraries: `grep -i 'plugin.library.paths' /path/to/suspicious.ini`
  • Reviewing MISP logs for unusual activity or errors related to rdkafka configuration parsing.

Additionally, reviewing the MISP source code or applying the patch that introduces the `testLogPath` function can help ensure that log paths and filenames are properly validated to prevent exploitation.

Executive Summary

This vulnerability in MISP allows an authenticated site administrator to set the Kafka_rdkafka_config setting to point to any arbitrary filesystem path. MISP then parses the referenced INI file and passes its options to the rdkafka library. An attacker who controls the configuration file can exploit rdkafka options, such as plugin.library.paths, to load an external malicious library. This leads to arbitrary code execution with the privileges of the MISP process.

The attacker can place the malicious configuration file in a MISP-writable location, like an uploaded file or administrative image, to carry out the attack. The vulnerability is fixed by restricting the Kafka_rdkafka_config setting to only accept absolute .ini files located in approved configuration directories outside the webroot and MISP upload targets.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the server running MISP with the privileges of the MISP process. An attacker exploiting this flaw could execute malicious code, potentially compromising the entire system, accessing sensitive data, or disrupting services.

Mitigation Strategies

To mitigate this vulnerability, restrict the Kafka_rdkafka_config setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart