HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-54360Published Modified CNA CIRCL

CVE-2026-54360: MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one. An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups. Affected component: app/Controller/SharingGroupsController.php, add() action

Metrics

CVSS v4.0
8.4
Severity
HIGH
Fixed in
2.5.40
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A mass assignment vulnerability in MISP's sharing group creation endpoint allows an authenticated attacker to overwrite existing sharing groups they do not have permission to edit. The flaw is reachable over the network with only a low-privilege account and requires no victim interaction. Successful exploitation lets the attacker take over or alter sharing groups, leaking membership and threat-intel data shared through those groups and corrupting their configuration. A patched-image rebuild at version 2.5.40 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-54360 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built MISP images, as they pass through CI/CD pipelines and registry scans.

Available
Triage

Triage is available using the CVSS v4.0 score of 8.4 (HIGH), weighted against each environment's compliance policy to prioritize alert routing; findings are delivered to the appropriate team inbox within each customer organization based on configured escalation rules.

Available
Patch

A patched-image rebuild at MISP 2.5.40 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests against the new image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the MISP instance via HTTP/HTTPS.

  • AuthenticationRequired

    Any low-privilege account with permission to create sharing groups is sufficient to exploit this vulnerability; no admin credentials are needed.

  • Victim interactionNot required

    The attacker submits a crafted request directly; no other user needs to take any action for exploitation to succeed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker simply supplies a target sharing group ID in the creation payload, with no race conditions or environment-specific factors required.

Blast Radius

  • Reads the membership list and threat-intelligence content of sharing groups the attacker does not have legitimate access to.
  • Overwrites the configuration of an existing sharing group, redirecting or restricting the flow of shared threat-intel data across organizations.
  • Corrupts trust relationships between MISP instances by altering which organizations are included in a sharing group without authorization.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-54360 is active across all scanning pipelines the moment the CVE was published, covering any image that packages MISP below version 2.5.40. For environments where an affected image is found, a rebuild at the fixed version 2.5.40 is available. For customers who opt into auto-remediation, HarborGuard initiates the rebuild, runs the regression suite against the patched image, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automatic remediation, the finding is surfaced with severity and fix-version detail so engineering teams can act manually. Because the fix is already available upstream, no compensating-control workaround period is expected, but customers who cannot patch immediately should consider network-policy controls that restrict which internal principals can reach the MISP sharing-group creation endpoint.

See how HarborGuard automates this

Fix available

2.5.40
Patch commits
Affected packages
  • misp / misp
    < 2.5.40 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
References