{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-54360: MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-54360","status":"final","version":"1","initial_release_date":"2026-06-12T19:51:44.187Z","current_release_date":"2026-06-15T18:19:33.960Z","revision_history":[{"date":"2026-06-12T19:51:44.187Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one.\n\nAn authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups.\n\nAffected component:\napp/Controller/SharingGroupsController.php, add() action","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-54360 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-54360"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-54360"},{"category":"external","summary":"github.com","url":"https://github.com/MISP/MISP/commit/687e7cb530ae0e2faaadf5e3e44712258fb3ef1b"}]},"product_tree":{"branches":[{"category":"vendor","name":"misp","branches":[{"category":"product_name","name":"misp","branches":[{"category":"product_version_range","name":"<2.5.40","product":{"name":"misp misp <2.5.40","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-54360","title":"MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups","notes":[{"category":"description","text":"A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one.\n\nAn authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups.\n\nAffected component:\napp/Controller/SharingGroupsController.php, add() action","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N","baseScore":8.4,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 2.5.40.","product_ids":["CSAFPID-1"],"url":"https://github.com/MISP/MISP/commit/687e7cb530ae0e2faaadf5e3e44712258fb3ef1b"}]}]}