HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-54358Published Modified CNA CIRCL

CVE-2026-54358: MISP organization administrators can target site administrator accounts for password reset

An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own organization, but did not exclude accounts assigned a site administrator role from recipient queries. As a result, an organization administrator could perform privileged account-management actions, such as initiating a password reset workflow, against a higher-privileged site administrator account in the same organization. Successful exploitation may allow an authenticated organization administrator to interfere with or potentially take over a site administrator account, resulting in privilege escalation and full compromise of the MISP instance’s confidentiality, integrity, and availability. Attack prerequisites: The attacker must be authenticated as an organization administrator in the same organization as a site administrator account.

Metrics

CVSS v4.0
7.5
Severity
HIGH
Fixed in
2.5.40
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An incorrect authorization vulnerability in MISP allows an authenticated organization administrator to target site administrator accounts within the same organization through the administrative email and password reset functionality. The affected code failed to exclude higher-privileged site administrator accounts from recipient queries, meaning an organization administrator could initiate a password reset workflow against a site administrator account they should not be able to touch. Successful exploitation enables privilege escalation and full compromise of the MISP instance. A patched-image rebuild at version 2.5.40 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-54358 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that bundle MISP. Any image running a MISP version below 2.5.40 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 7.5 (High) and weighting it further against each environment's compliance policy, for example elevating priority in environments where threat-intelligence platforms are designated critical infrastructure. Findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at MISP 2.5.40 becomes available through HarborGuard once the fix version is confirmed against the affected image. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MISP web interface over the network to interact with the administrative email functionality.

  • AuthenticationRequired

    An existing organization administrator account within the same organization as a site administrator is required; a low-privilege user account alone is not sufficient.

  • Victim interactionNot required

    No action is required from the targeted site administrator; the attacker initiates the password reset workflow unilaterally.

  • Attack complexityDetail

    While base exploit steps are straightforward, the CVSS AT:P token indicates that specific target conditions must be present, namely a site administrator account co-located in the same organization as the attacker's account.

Blast Radius

  • Reads all threat intelligence, events, and indicators stored in the MISP instance by escalating to a site administrator session.
  • Modifies or deletes MISP events, feeds, sharing groups, and organization configurations across the entire instance.
  • Crashes or degrades the MISP service by abusing site-level administrative controls available after privilege escalation.
  • Gains persistent access to the compromised site administrator account, potentially enabling lateral movement to connected MISP federation peers.

How HarborGuard Handles This

Available on HarborGuard: images running MISP versions below 2.5.40 are detectable as affected within minutes of CVE publication. Where compliance policy permits, a rebuilt image at 2.5.40 is available for deployment; customers with auto-remediation enabled receive a rebuilt image, a regression test run, and a pull request opened against affected workloads. For High-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Until the patched image is deployed, consider restricting organization administrator role assignments to trusted accounts only, applying network-policy controls to limit MISP administrative interface exposure, and auditing existing organization memberships to identify any site administrator accounts that share an organization with non-site-admin users.

See how HarborGuard automates this

Fix available

2.5.40
Patch commits
Affected packages
  • misp / misp
    < 2.5.40 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References