HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56447Published Modified CNA CIRCL

CVE-2026-56447: MISP remote code execution via arbitrary rdkafka configuration path

MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file. The issue is fixed by restricting the setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a remote code execution vulnerability in MISP (Malware Information Sharing Platform) caused by an unsafe file-path configuration setting. An authenticated site administrator can point the Kafka_rdkafka_config setting to an attacker-controlled INI file anywhere on the filesystem; MISP then parses that file and passes its options to the rdkafka library, which accepts a plugin.library.paths option that instructs rdkafka to load an arbitrary shared library. Successful exploitation gives the attacker code execution with the full privileges of the MISP process. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-56447 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including CIRCL and NVD) within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, covering both upstream MISP images and any custom-built images that package the affected misp/misp package at versions up to and including 2.5.41.

Available
Triage

Triage is available through HarborGuard's scoring pipeline, which surfaces this CVE at its CVSS v4.0 score of 9.3 (Critical) and weights it against each customer environment's compliance policy to prioritize routing; findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment MISP or CIRCL publishes a corrected release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MISP web interface over the network to interact with the affected administrative setting.

  • AuthenticationRequired

    A site administrator account (high-privilege) is required; a low-privilege user account is not sufficient to change the Kafka_rdkafka_config setting.

  • Victim interactionNot required

    No victim interaction is needed; the attacker exercises the exploit entirely through their own authenticated session.

  • Attack complexityDetail

    Exploit complexity is low: no race conditions or special environmental conditions are required beyond having admin credentials and a writable location on the MISP host for the malicious INI file.

Blast Radius

  • Reads sensitive data from any file the MISP process can access, including stored event data, sharing group memberships, and API keys held in MISP configuration files.
  • Modifies or deletes persisted threat intelligence records, sharing rules, and database contents by executing attacker-supplied code in the MISP process context.
  • Achieves lateral movement or persistent access to the host and any systems reachable from it, because the injected shared library runs with the full OS privileges of the MISP process user.
  • Exfiltrates or corrupts data shared with connected MISP instances over its synchronization feeds, extending the blast radius beyond the compromised node.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been released for CVE-2026-56447, HarborGuard continuously monitors the CIRCL and NVD advisories on every ingest cycle and will surface a patched-image rebuild automatically as soon as MISP publishes a corrected version. In the interim, compensating controls available to HarborGuard customers include network-policy annotations that restrict inbound access to the MISP admin interface to known trusted CIDR ranges, egress filtering to prevent the MISP process from loading libraries from attacker-reachable paths, and policy rules that flag any image update introducing new writable directories under the MISP webroot or upload targets. Where compliance policy permits, customers with auto-remediation enabled will receive an automatic rebuild, regression-test run, and PR against affected workloads the moment an upstream fix version is available, with no manual intervention required.

See how HarborGuard automates this
Affected packages
  • misp / misp
    ≤ 2.5.41
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
References