CVE-2026-54398 | THREATINT

Description

An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use. An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.

PUBLISHED Reserved 2026-06-12 | Published 2026-06-12 | Updated 2026-06-15 | Assigner CIRCL

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-863 Incorrect Authorization

Product status

Default status

unaffected

Any version before 2.5.40

affected

Credits

Andras Iklody remediation developer

Jeroen Pinoy finder

References

github.com/...ommit/4fe48c523e66999d65f99fdec9508adb3aa1c0f3 patch

cve.org (CVE-2026-54398)

nvd.nist.gov (CVE-2026-54398)

Download JSON