CVE-2026-61474
Deferred Deferred - Pending Action

Improper Authorization in MISP Attribute Creation

Vulnerability report for CVE-2026-61474, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description

An improper authorization check in MISP’s attribute creation endpoint allowed an authenticated user with permission to add attributes to submit a sharing_group_id without triggering the corresponding sharing group authorization check, as long as the attribute distribution value was not explicitly set to 4 — “sharing group”. As a result, a user could reference or associate an attribute with a sharing group they were not authorized to use. This could lead to an access-control bypass affecting the integrity of attribute sharing metadata and potentially expose or misuse restricted sharing group relationships. The patch changes the authorization logic so that the sharing group permission check is performed whenever a non-empty sharing_group_id is provided, regardless of the selected distribution value.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
misp misp *
misp misp From 5a6e4751-2f3f-4070-9419-94fb35b644e8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated user to bypass sharing group authorization checks and associate attributes with sharing groups they are not authorized to use. This access-control bypass can lead to exposure or misuse of restricted sharing group relationships and compromise the integrity of attribute sharing metadata.

Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data to ensure privacy and data integrity.

Executive Summary

This vulnerability is an improper authorization check in MISP’s attribute creation endpoint. It allowed an authenticated user who had permission to add attributes to submit a sharing_group_id without triggering the necessary sharing group authorization check, as long as the attribute's distribution value was not explicitly set to 4 (which represents the sharing group distribution).

As a result, a user could associate an attribute with a sharing group they were not authorized to use, leading to an access-control bypass that affects the integrity of attribute sharing metadata and could expose or misuse restricted sharing group relationships.

The patch fixes this by enforcing the sharing group permission check whenever a non-empty sharing_group_id is provided, regardless of the distribution value.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to associate attributes with sharing groups they should not have access to. This leads to an access-control bypass.

Such unauthorized associations can compromise the integrity of attribute sharing metadata and potentially expose or misuse restricted sharing group relationships, which may result in sensitive information being accessed or shared improperly.

Detection Guidance

Detection of this vulnerability involves monitoring attempts to create or modify attributes with a sharing_group_id without proper authorization checks. Specifically, look for requests to the MISP attribute creation endpoint where a sharing_group_id is provided but the distribution value is not set to 4.

Since the vulnerability is related to improper authorization checks in the application logic, network-level detection might involve inspecting API request logs for suspicious attribute creation attempts referencing unauthorized sharing groups.

Commands to detect such activity would depend on your logging and monitoring setup. For example, if you have access logs or API logs, you could use grep or similar tools to search for attribute creation requests containing sharing_group_id parameters.

  • grep -i 'sharing_group_id' /path/to/misp/api/logs | grep -v 'distribution=4'
  • Review application logs for ForbiddenException errors with the message "Invalid Sharing Group or not authorised." which indicate enforcement of the fix.
Mitigation Strategies

The immediate mitigation step is to apply the security patch that enforces the sharing group authorization check regardless of the distribution value.

This patch modifies the attribute creation endpoint to verify the sharing_group_id and call the authorization function __canUseSharingGroup(). If unauthorized, it throws a ForbiddenException, preventing access control bypass.

Ensure your MISP instance is updated to the version including commit df612166538e2979fae9f7eda88345ccc8fee761 or later.

Additionally, review user permissions to limit attribute creation rights to trusted users and monitor logs for unauthorized attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart