CVE-2026-56447
Received Received - Intake
Arbitrary Code Execution in MISP via Malicious Kafka Configuration

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file. The issue is fixed by restricting the setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-56447
EUVD
EUVD-2026-38231
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in MISP allows an authenticated site administrator to set the Kafka_rdkafka_config setting to point to any arbitrary filesystem path. MISP then parses the referenced INI file and passes its options to the rdkafka library. An attacker who controls the configuration file can exploit rdkafka options, such as plugin.library.paths, to load an external malicious library. This leads to arbitrary code execution with the privileges of the MISP process.

The attacker can place the malicious configuration file in a MISP-writable location, like an uploaded file or administrative image, to carry out the attack. The vulnerability is fixed by restricting the Kafka_rdkafka_config setting to only accept absolute .ini files located in approved configuration directories outside the webroot and MISP upload targets.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the server running MISP with the privileges of the MISP process. An attacker exploiting this flaw could execute malicious code, potentially compromising the entire system, accessing sensitive data, or disrupting services.

Mitigation Strategies

To mitigate this vulnerability, restrict the Kafka_rdkafka_config setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart