CVE-2026-60124
Received Received - Intake

Authorization Bypass in MISP Event Import Module

Vulnerability report for CVE-2026-60124, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description

An authorization bypass in MISP’s EventsController::importModule() allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the misp_standard format, the write path did not verify event modification rights before saving the module output. This could allow a view-only user to inject or alter event data, impacting the integrity of MISP event content. The issue was fixed by enforcing the same modification-rights check used by related module result handling paths before processing misp_standard imports.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
misp misp *
misp misp to 2026-60124 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users or read-only API keys with event view access to modify event data they are not authorized to change, impacting the integrity of MISP event content.

Such unauthorized data modification can undermine data integrity and access control requirements that are critical for compliance with standards like GDPR and HIPAA, which mandate strict controls over data accuracy, integrity, and authorized access.

By allowing view-only users to inject or alter event data, the vulnerability could lead to non-compliance with these regulations due to potential unauthorized data changes and weakened audit trails.

Executive Summary

This vulnerability is an authorization bypass in the MISP software's EventsController::importModule() function. It allowed authenticated users or read-only API keys with only event view access to persist data to events they were not authorized to modify.

Specifically, when an import module returned results in the misp_standard format, the system did not verify if the user had modification rights before saving the module output. This flaw enabled view-only users to inject or alter event data, compromising the integrity of MISP event content.

The issue was fixed by enforcing the same modification-rights check used by related module result handling paths before processing misp_standard imports.

Impact Analysis

This vulnerability can impact you by allowing users who should only have view access to events to instead modify or inject data into those events.

Such unauthorized modifications can compromise the integrity and reliability of the event data within MISP, potentially leading to misinformation or incorrect analysis based on tampered data.

Mitigation Strategies

To mitigate this vulnerability, ensure that your MISP installation is updated with the patch that enforces modification rights checks in the importModule() function.

The fix adds a permission check using $mayModify before allowing any data modifications, throwing a ForbiddenException if the user lacks the necessary rights.

Applying this update will prevent users with only view access or read-only API keys from persisting unauthorized changes to events.

Detection Guidance

This vulnerability involves an authorization bypass in MISP's importModule() function, allowing users with only event view access to modify event data. Detection would involve monitoring for unauthorized modifications to events by users or API keys that should only have read-only access.

Since the issue is related to permission checks missing in the importModule() function when processing misp_standard formatted imports, detection can focus on auditing logs for unexpected write operations or modifications initiated by users with limited permissions.

Specific commands are not provided in the available resources. However, general approaches could include:

  • Reviewing MISP application logs for events where users with read-only API keys or view-only access performed event modifications.
  • Using MISP's API to query event modification history and cross-checking the modifying user permissions.
  • Implementing monitoring scripts to detect discrepancies between user permissions and event modification actions.

For exact commands or scripts, further documentation or tooling specific to MISP would be required, which is not included in the provided resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60124. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart