MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user’s organization.
The affected paths included:
Event Reports tag removal: the route-authorized report could differ from the report ID used for tag detachment, enabling cross-organization tag removal from another event report
Collection Elements bulk deletion: bulk deletion authorized against a collection whose ID matched the collection-element row ID, rather than the element’s actual parent collection, enabling deletion of elements from collections the user did not own.
Successful exploitation could allow an authenticated user with subsystem-specific permissions to perform unauthorized cross-organization modifications or deletions of MISP data, resulting in integrity loss, unauthorized tampering with shared intelligence, and disruption of analyst workflows.
{
"cna_assigner": "CIRCL",
"cwe_ids": [
"CWE-639",
"CWE-862",
"CWE-863"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56424.json"
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.5.42"
}
],
"cpe": "cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:*"
}