HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-54361Published Modified CNA CIRCL

CVE-2026-54361: MISP mass assignment vulnerabilities allow unauthorized modification of ownership and delegation records

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-related fields such as id, org_id, orgc_id, and user_id. An authenticated attacker with access to the affected endpoints could craft requests containing protected fields in order to alter object ownership, redirect an update to another record, overwrite existing event delegation requests, or modify shadow attribute proposals belonging to another organization. This could result in unauthorized modification of MISP objects and, depending on object visibility and sharing configuration, unauthorized access to or transfer of sensitive threat intelligence data. The issue was fixed by explicitly pinning ownership and identity fields to their stored values during edit operations and by removing user-supplied primary keys from create-only save paths. Affected components: * CollectionsController::edit() * EventDelegationsController::delegateEvent() * ShadowAttributesController::edit() * TagCollectionsController::edit()915 * TagCollectionsController::editWithTags() Attack requirements: The attacker must be authenticated and able to reach the affected MISP endpoints. No user interaction is required.

Metrics

CVSS v4.0
8.8
Severity
HIGH
Fixed in
2.5.40
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Mass assignment vulnerabilities in MISP (versions prior to 2.5.40) allow an authenticated attacker to inject protected fields such as org_id, orgc_id, user_id, and record identifiers into controller actions that should ignore user-supplied values. The attack is reachable over the network and requires no victim interaction, though a valid account is needed. Successful exploitation lets an attacker reassign object ownership, overwrite event delegation requests, and read or transfer threat intelligence data belonging to other organizations. A patched-image rebuild at version 2.5.40 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-54361 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package MISP. Any image layer carrying a MISP version below 2.5.40 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.8 (High) and surfaces it with that severity weighting inside each customer environment. Per-environment compliance policies can escalate or filter the finding, and routing rules direct the alert to the appropriate team or inbox within each customer organization.

Available
Patch

A patched-image rebuild at MISP 2.5.40 becomes available through HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MISP application over the network; the affected endpoints are exposed via HTTP/HTTPS.

  • AuthenticationRequired

    A valid MISP account is required; any low-privilege account with access to the affected endpoints is sufficient to craft a malicious request.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends crafted requests directly to the affected controller actions.

  • Attack complexityDetail

    Exploit complexity is low; no race conditions, special memory layout, or environmental factors are required to inject protected fields into the controller actions.

Blast Radius

  • Reads threat intelligence records and event data belonging to other organizations by redirecting object ownership to an attacker-controlled account or organization.
  • Modifies ownership fields (org_id, orgc_id, user_id) on MISP collections, tag collections, event delegations, and shadow attribute proposals, effectively hijacking records.
  • Overwrites existing event delegation requests, disrupting legitimate inter-organization sharing workflows.
  • Alters shadow attribute proposals belonging to other organizations, corrupting collaborative threat intelligence data.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and remediation capabilities are ready for environments running any MISP version below 2.5.40. For customers with auto-remediation enabled, HarborGuard can rebuild the affected image at version 2.5.40, execute a regression test run, and open a pull request against affected workloads; for High-severity CVEs, median time from publication to a merged patch PR is approximately 90 minutes in environments with auto-remediation active. Where compliance policy requires manual approval, the rebuilt image is staged and the finding is routed to the appropriate team for review. Until a rebuild is deployed, consider restricting access to the affected MISP controller endpoints via network policy, limiting the pool of accounts that can reach CollectionsController, EventDelegationsController, ShadowAttributesController, and TagCollectionsController, and auditing ownership fields on recently modified records for unexpected changes.

See how HarborGuard automates this

Fix available

2.5.40
Patch commits
Affected packages
  • misp / misp
    < 2.5.40 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N
References