How is CVE-2026-56422 exploited?

Network reachability (required): The vulnerable MISP endpoints are exposed over the network, so an attacker must be able to send HTTP requests to the MISP instance (AV:N). Authentication (required): A valid low-privilege MISP account is sufficient to reach the affected create, edit, and import flows; no administrative role is needed (PR:L). Victim interaction (not-required): The attacker submits crafted REST or form payloads directly; no action from another user is required to trigger the vulnerability (UI:N). Attack complexity (info): Exploitation is reliable and condition-free: no race conditions, specific memory layout, or environmental dependencies are required (AC:L/AT:N).

What is the impact of CVE-2026-56422?

Reads all event data, threat intelligence objects, and sharing-group memberships belonging to other organizations within the MISP instance. Overwrites or re-parents existing events, objects, proposals, and galaxy cluster associations outside the attacker's authorized scope. Transfers ownership of MISP objects to attacker-controlled organizations or users, or injects stored attacker-controlled content into other users' contexts. Disrupts availability of the MISP instance through malformed or conflicting saves that corrupt relational integrity across events, organizations, and sharing groups.

Back to search

CRITICALCVE-2026-56422Published 2026-06-22Modified 2026-06-22CNA CIRCL

CVE-2026-56422: MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object. In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context. The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Mass assignment vulnerability in MISP core allows an authenticated user to overwrite or re-parent objects outside their authorization scope. The flaw is reachable over the network with only a low-privilege account and requires no victim interaction, derived from a CVSS v4.0 vector of AV:N/AC:L/PR:L/UI:N. Successful exploitation enables full reads, writes, and availability impact across both the vulnerable component and downstream scope, including object overwrite, ownership transfer, unauthorized sharing-group scoping, and injection of stored attacker-controlled content into other users' contexts. HarborGuard tracks this advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection for CVE-2026-56422 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle MISP. Any image pinning a MISP release at or below 2.5.41 is flagged automatically.

Available

Triage

Triage is available with the full CVSS v4.0 score of 9.4 (Critical) applied to each matched finding, weighted against per-environment compliance policies to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the MISP advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released upstream. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable MISP endpoints are exposed over the network, so an attacker must be able to send HTTP requests to the MISP instance (AV:N).
AuthenticationRequired
A valid low-privilege MISP account is sufficient to reach the affected create, edit, and import flows; no administrative role is needed (PR:L).
Victim interactionNot required
The attacker submits crafted REST or form payloads directly; no action from another user is required to trigger the vulnerability (UI:N).
Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions, specific memory layout, or environmental dependencies are required (AC:L/AT:N).

Blast Radius

Reads all event data, threat intelligence objects, and sharing-group memberships belonging to other organizations within the MISP instance.
Overwrites or re-parents existing events, objects, proposals, and galaxy cluster associations outside the attacker's authorized scope.
Transfers ownership of MISP objects to attacker-controlled organizations or users, or injects stored attacker-controlled content into other users' contexts.
Disrupts availability of the MISP instance through malformed or conflicting saves that corrupt relational integrity across events, organizations, and sharing groups.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the MISP advisory for CVE-2026-56422 is active across every environment scanning images that include MISP at or below version 2.5.41. Because no upstream fix has been published, the recommended immediate compensating controls include restricting network access to the MISP REST API to trusted internal subnets via network policy, applying egress filtering to limit lateral movement from a compromised instance, and reviewing MISP role configurations to minimize the number of accounts holding any authenticated access to create or edit endpoints. HarborGuard re-evaluates the advisory on every ingest cycle; the moment CIRCL or the MISP project publishes a patched release, a rebuilt image will become available. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be opened automatically at that point, with no manual intervention required.

See how HarborGuard automates this

Affected packages

misp / misp
≤ 2.5.41

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

Metrics

Get notified