CVE-2026-54358

Source
https://cve.org/CVERecord?id=CVE-2026-54358
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54358.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54358
Published
2026-06-12T19:34:49.259Z
Modified
2026-07-08T08:13:45.828741883Z
Severity
  • 7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
MISP organization administrators can target site administrator accounts for password reset
Details

An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own organization, but did not exclude accounts assigned a site administrator role from recipient queries. As a result, an organization administrator could perform privileged account-management actions, such as initiating a password reset workflow, against a higher-privileged site administrator account in the same organization.

Successful exploitation may allow an authenticated organization administrator to interfere with or potentially take over a site administrator account, resulting in privilege escalation and full compromise of the MISP instance’s confidentiality, integrity, and availability.

Attack prerequisites: The attacker must be authenticated as an organization administrator in the same organization as a site administrator account.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54358.json",
    "cna_assigner": "CIRCL",
    "cwe_ids": [
        "CWE-863"
    ]
}
References

Affected packages

Git / github.com/misp/misp

Affected ranges

Type
GIT
Repo
https://github.com/misp/misp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.40"
        }
    ]
}

Affected versions

Other
codename/tellurium
rm
v0.*
v0.2
v2.*
v2.3.0
v2.4.0
v2.4.1
v2.4.10
v2.4.100
v2.4.101
v2.4.102
v2.4.106
v2.4.107
v2.4.109
v2.4.11
v2.4.110
v2.4.111
v2.4.118
v2.4.120
v2.4.121
v2.4.122
v2.4.123
v2.4.125
v2.4.127
v2.4.128
v2.4.13
v2.4.130
v2.4.133
v2.4.134
v2.4.136
v2.4.137
v2.4.14
v2.4.15
v2.4.152
v2.4.153
v2.4.16
v2.4.17
v2.4.175
v2.4.18
v2.4.183
v2.4.184
v2.4.185
v2.4.186
v2.4.187
v2.4.188
v2.4.189
v2.4.190
v2.4.191
v2.4.192
v2.4.193
v2.4.194
v2.4.195
v2.4.196
v2.4.2
v2.4.20
v2.4.21
v2.4.22
v2.4.23
v2.4.24
v2.4.25
v2.4.26
v2.4.27
v2.4.3
v2.4.34
v2.4.35
v2.4.36
v2.4.37
v2.4.38
v2.4.39
v2.4.4
v2.4.43
v2.4.45
v2.4.46
v2.4.47
v2.4.48
v2.4.5
v2.4.50
v2.4.51
v2.4.52
v2.4.53
v2.4.54
v2.4.56
v2.4.57
v2.4.58
v2.4.59
v2.4.60
v2.4.61
v2.4.62
v2.4.63
v2.4.64
v2.4.65
v2.4.7
v2.4.78
v2.4.80
v2.4.82
v2.4.83
v2.4.85
v2.4.86
v2.4.87
v2.4.88
v2.4.89
v2.4.9
v2.4.91
v2.4.93
v2.4.94
v2.4.95
v2.4.96
v2.4.98
v2.5.0
v2.5.10
v2.5.11
v2.5.12
v2.5.13
v2.5.14
v2.5.15
v2.5.16
v2.5.17
v2.5.18
v2.5.19
v2.5.20
v2.5.21
v2.5.22
v2.5.23
v2.5.24
v2.5.25
v2.5.26
v2.5.27
v2.5.28
v2.5.29
v2.5.30
v2.5.31
v2.5.32
v2.5.33
v2.5.34
v2.5.35
v2.5.36
v2.5.37
v2.5.7
v2.5.8
v2.5.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54358.json"