CVE-2026-56424

Source
https://cve.org/CVERecord?id=CVE-2026-56424
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56424.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-56424
Published
2026-06-22T12:17:17.090Z
Modified
2026-07-15T01:48:50.184806058Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
Broken access control in MISP core allows cross-organization unauthorized modification or deletion of analyst data, event reports, collections, templates, and decaying models
Details

MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user’s organization.

The affected paths included:

  • Event Reports tag removal: the route-authorized report could differ from the report ID used for tag detachment, enabling cross-organization tag removal from another event report

  • Collection Elements bulk deletion: bulk deletion authorized against a collection whose ID matched the collection-element row ID, rather than the element’s actual parent collection, enabling deletion of elements from collections the user did not own.

  • Analyst Data capture/update: nested analyst data updates could overwrite an existing record without applying the normal canEditAnalystData ownership check, enabling cross-organization overwrite of analyst data records.
  • Template Elements editing: editing authorized against a template whose ID matched the template-element ID, rather than the element’s actual parent template, enabling unauthorized edits to another organization’s template elements.
  • Decaying Model editing and mappings: write paths loaded models using view-scope access but did not verify edit ownership, enabling users to edit or remap visible models owned by another organization. 

Successful exploitation could allow an authenticated user with subsystem-specific permissions to perform unauthorized cross-organization modifications or deletions of MISP data, resulting in integrity loss, unauthorized tampering with shared intelligence, and disruption of analyst workflows.

Database specific
{
    "cna_assigner": "CIRCL",
    "cwe_ids": [
        "CWE-639",
        "CWE-862",
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56424.json"
}
References

Affected packages

Git / github.com/misp/misp

Affected ranges

Type
GIT
Repo
https://github.com/misp/misp
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.42"
        }
    ],
    "cpe": "cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:*"
}

Affected versions

Other
codename/tellurium
rm
v0.*
v0.2
v2.*
v2.3.0
v2.4.0
v2.4.1
v2.4.10
v2.4.100
v2.4.101
v2.4.102
v2.4.106
v2.4.107
v2.4.109
v2.4.11
v2.4.110
v2.4.111
v2.4.118
v2.4.120
v2.4.121
v2.4.122
v2.4.123
v2.4.125
v2.4.127
v2.4.128
v2.4.13
v2.4.130
v2.4.133
v2.4.134
v2.4.136
v2.4.137
v2.4.14
v2.4.15
v2.4.152
v2.4.153
v2.4.16
v2.4.17
v2.4.175
v2.4.18
v2.4.183
v2.4.184
v2.4.185
v2.4.186
v2.4.187
v2.4.188
v2.4.189
v2.4.190
v2.4.191
v2.4.192
v2.4.193
v2.4.194
v2.4.195
v2.4.196
v2.4.2
v2.4.20
v2.4.21
v2.4.22
v2.4.23
v2.4.24
v2.4.25
v2.4.26
v2.4.27
v2.4.3
v2.4.34
v2.4.35
v2.4.36
v2.4.37
v2.4.38
v2.4.39
v2.4.4
v2.4.43
v2.4.45
v2.4.46
v2.4.47
v2.4.48
v2.4.5
v2.4.50
v2.4.51
v2.4.52
v2.4.53
v2.4.54
v2.4.56
v2.4.57
v2.4.58
v2.4.59
v2.4.60
v2.4.61
v2.4.62
v2.4.63
v2.4.64
v2.4.65
v2.4.7
v2.4.78
v2.4.80
v2.4.82
v2.4.83
v2.4.85
v2.4.86
v2.4.87
v2.4.88
v2.4.89
v2.4.9
v2.4.91
v2.4.93
v2.4.94
v2.4.95
v2.4.96
v2.4.98
v2.5.0
v2.5.10
v2.5.11
v2.5.12
v2.5.13
v2.5.14
v2.5.15
v2.5.16
v2.5.17
v2.5.18
v2.5.19
v2.5.20
v2.5.21
v2.5.22
v2.5.23
v2.5.24
v2.5.25
v2.5.26
v2.5.27
v2.5.28
v2.5.29
v2.5.30
v2.5.31
v2.5.32
v2.5.33
v2.5.34
v2.5.35
v2.5.36
v2.5.37
v2.5.39
v2.5.40
v2.5.41
v2.5.7
v2.5.8
v2.5.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56424.json"