Home

Description

An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users.

PUBLISHED Reserved 2026-06-12 | Published 2026-06-12 | Updated 2026-06-15 | Assigner CIRCL




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-863 Incorrect Authorization

Product status

Default status
unaffected

Any version before 2.5.40
affected

Credits

Jeroen Pinoy finder

Andras Iklody remediation developer

References

github.com/...ommit/8aa2bb6d1af6e8c57c8d8437cf203acb8bce7a53 patch

cve.org (CVE-2026-54362)

nvd.nist.gov (CVE-2026-54362)

Download JSON