HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-54359Published Modified CNA CIRCL

CVE-2026-54359: MISP automation endpoints may be exposed to CSRF when Sec-Fetch-Site protection is disabled by default

MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote unauthenticated attacker could craft a malicious web page that causes an authenticated MISP user’s browser to issue cross-site requests to MISP automation endpoints. If successful, the forged requests may be processed with the privileges of the victim user, potentially allowing unauthorized modification of MISP data or configuration. Enabling Security.check_sec_fetch_site_header mitigates this issue, although operators of multi-homed MISP deployments should validate the setting before enforcing it.

Metrics

CVSS v4.0
7.1
Severity
HIGH
Fixed in
2.5.40
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a cross-site request forgery (CSRF) vulnerability in MISP, the open-source threat intelligence platform. The flaw stems from an insecure default configuration: the Security.check_sec_fetch_site_header control is off by default, meaning MISP does not validate the browser-provided Sec-Fetch-Site header on state-changing requests such as POST, PUT, or AJAX calls. An unauthenticated remote attacker who tricks an authenticated MISP user into visiting a malicious page can forge requests that MISP processes with the victim's privileges, enabling unauthorized modification of MISP data or configuration. A patched-image rebuild at version 2.5.40 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-54359 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle MISP, in both registry scans and CI/CD pipeline checks.

Available
Triage

Triage is available using the CVSS v4.0 score of 7.1 (HIGH), weighted against each customer organization's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer environment based on policy-defined ownership rules.

Available
Patch

A patched-image rebuild at MISP 2.5.40 becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the victim over the network, delivering a malicious web page that the victim's browser loads while they hold an active MISP session.

  • AuthenticationNot required

    The attacker does not need any account or credentials on the MISP instance; the forged requests ride on the victim user's existing authenticated session.

  • Victim interactionRequired

    The victim must visit an attacker-controlled web page while logged into MISP, providing the browser context needed to issue the forged cross-site requests.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the victim visits the malicious page; no race conditions or environmental factors are required.

Blast Radius

  • The attacker can modify MISP event data, indicators of compromise, or sharing rules using the victim's privileges.
  • Configuration changes, such as enabling integrations or altering user permissions, can be made by forging requests to MISP administration endpoints.
  • Subordinate system integrity (SI:L) is also at risk, meaning objects in systems connected to MISP, such as downstream feeds or export targets, may be indirectly affected by corrupted or tampered data pushed from MISP.

How HarborGuard Handles This

Available on HarborGuard: detection of this vulnerability is active across all connected customer registries and pipelines as of minutes after CVE publication on 2026-06-12. Where compliance policy permits auto-remediation, HarborGuard can trigger a rebuild of affected images at MISP 2.5.40, run regression tests against the rebuilt image, and open a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not yet enabled, HarborGuard surfaces the finding with the CVSS 7.1 HIGH score and recommends enabling Security.check_sec_fetch_site_header in MISP configuration as an immediate compensating control; operators running multi-homed MISP deployments should validate that setting before enforcing it, as noted in the upstream advisory from CIRCL.

See how HarborGuard automates this

Fix available

2.5.40
Patch commits
Affected packages
  • misp / misp
    < 2.5.40 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N
References