How is CVE-2026-56423 exploited?

Network reachability (required): The vulnerable bulk deletion endpoints are exposed over the network, so the attacker must be able to reach the MISP instance via HTTP/HTTPS. Authentication (required): The attacker must hold a valid low-privilege account with the perm_add or perm_sharing_group role capability; anonymous access is not sufficient. Victim interaction (not-required): The attacker sends crafted bulk deletion requests directly to the API endpoints; no action by another user is needed. Attack complexity (info): Exploitation is reliable and condition-free: no race conditions, memory-layout dependencies, or environmental factors are required beyond knowing valid report or sharing-group IDs.

What is the impact of CVE-2026-56423?

Permanently hard-deletes event reports belonging to any organization on the MISP instance, destroying threat-intelligence content that may not be recoverable. Permanently hard-deletes sharing groups owned by other organizations, removing access-control configurations that govern how event data is shared across the instance. Impacts the confidentiality, integrity, and availability of both the local MISP instance and any connected systems (SC:H/SI:H/SA:H in the CVSS v4.0 vector), meaning downstream consumers of shared threat intelligence lose access to that data. An attacker can selectively wipe high-value reports or sharing groups to degrade coordinated threat response across all organizations sharing the instance.

Back to search

CRITICALCVE-2026-56423Published 2026-06-22Modified 2026-06-22CNA CIRCL

CVE-2026-56423: MISP Core: Broken access control allows instance-wide unauthorized deletion of event reports and sharing groups via bulk deletion endpoints

MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For Event Reports, EventReportsController::deleteSelection relied on the global perm_add capability rather than a per-report ownership/authorization check. As a result, a contributor-level user could submit report IDs or UUIDs for reports belonging to other organisations and hard-delete them instance-wide. The fix changed the callback to call EventReport::fetchIfAuthorized($user, $itemId, 'delete') for each selected report before deletion. For Sharing Groups, SharingGroupsController::deleteSelection relied on the global perm_sharing_group capability rather than verifying ownership of each selected sharing group. This allowed a sharing-group-capable user to hard-delete sharing groups owned by other organisations, bypassing the per-object ownership gate used by the single-object delete action. The fix changed the callback to call SharingGroup::checkIfOwner($user, $itemId) for each selected sharing group. An authenticated attacker with the relevant broad role permission could abuse the affected bulk deletion endpoints to delete objects outside their organisation’s authorization scope, causing loss of event-report content or sharing-group configuration across the instance.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Broken access control in MISP Core allows an authenticated user with contributor-level permissions to hard-delete event reports and sharing groups belonging to other organizations via the bulk deletion endpoints. The vulnerability is reachable over the network and requires only a low-privilege account, with no victim interaction needed. Successful exploitation causes permanent, instance-wide loss of event-report content and sharing-group configuration across all organizations on the affected MISP instance. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-56423 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the CIRCL advisory and NVD) within minutes of publication and matched against all customer images, including custom-built MISP images derived from misp/misp. Scan results surface any image running misp/misp at or below version 2.5.41 as affected.

Available

Triage

HarborGuard scores this finding at CVSS 9.4 (Critical) using the published v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage alerts are dispatched to the inbox or ticketing integration configured by each customer organization, with severity-appropriate escalation paths applied automatically.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the CIRCL advisory and upstream MISP release feed on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild becomes available on HarborGuard, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable bulk deletion endpoints are exposed over the network, so the attacker must be able to reach the MISP instance via HTTP/HTTPS.
AuthenticationRequired
The attacker must hold a valid low-privilege account with the perm_add or perm_sharing_group role capability; anonymous access is not sufficient.
Victim interactionNot required
The attacker sends crafted bulk deletion requests directly to the API endpoints; no action by another user is needed.
Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions, memory-layout dependencies, or environmental factors are required beyond knowing valid report or sharing-group IDs.

Blast Radius

Permanently hard-deletes event reports belonging to any organization on the MISP instance, destroying threat-intelligence content that may not be recoverable.
Permanently hard-deletes sharing groups owned by other organizations, removing access-control configurations that govern how event data is shared across the instance.
Impacts the confidentiality, integrity, and availability of both the local MISP instance and any connected systems (SC:H/SI:H/SA:H in the CVSS v4.0 vector), meaning downstream consumers of shared threat intelligence lose access to that data.
An attacker can selectively wipe high-value reports or sharing groups to degrade coordinated threat response across all organizations sharing the instance.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-56423, the platform monitors the CIRCL advisory and the MISP release feed on every ingest cycle and will surface a patched-image rebuild the moment an upstream fix is released. In the interim, customers can apply compensating controls through HarborGuard policy enforcement: network-policy isolation to restrict access to the MISP bulk deletion endpoints (deleteSelection routes) to trusted internal CIDRs only, and role-scoping reviews to confirm that perm_add and perm_sharing_group capabilities are granted only to fully trusted accounts. Where compliance policy permits, auto-remediation is pre-staged so that when a fix version is published, affected images receive an automatic rebuild, regression-test run, and a PR opened against affected workloads with no manual steps required. Customers who cannot wait for the upstream fix should treat this advisory as requiring immediate network-level access controls given the Critical (9.4) CVSS score and the absence of any interaction requirement.

See how HarborGuard automates this

Affected packages

misp / misp
≤ 2.5.41

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

Metrics

Get notified