CVE-2026-9084 | THREATINT

Description

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.

PUBLISHED Reserved 2026-05-20 | Published 2026-05-20 | Updated 2026-05-20 | Assigner CIRCL

MEDIUM: 6.0CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-287 Improper Authentication

Product status

Default status

unaffected

2.5.0 (semver)

affected

Credits

Ali Ganiyev finder

Luciano Righetti remediation developer

References

github.com/...ommit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172 patch

cve.org (CVE-2026-9084)

nvd.nist.gov (CVE-2026-9084)

Download JSON