MISP: 12 CVEs Disclosed in a Single Batch, Including Mass Assignment and Auth Bypass Flaws
Twelve vulnerabilities—including mass assignment, authorization bypass, XSS, and an insecure default—were disclosed in the MISP threat intelligence platform on June 12, 2026.
Key findings
- 12 CVEs in one batch: 4 High, 8 Medium severity
- Mass assignment bugs (CVE-2026-54361, CVE-2026-54360) allow overwriting server-controlled fields
- Authorization gaps let org admins target site admin accounts (CVE-2026-54358, CVE-2026-54357)
- XSS in UiBeta event view (CVE-2026-54395) and Overmind theme (CVE-2026-54393)
- Insecure default disables Sec-Fetch-Site header check (CVE-2026-54359)
- All vulnerabilities fixed in a single MISP security release
On June 12, 2026, twelve security vulnerabilities were disclosed in MISP (Malware Information Sharing Platform), the open-source threat intelligence platform used widely by SOCs, CSIRTs, and security researchers. The batch includes four High-severity and eight Medium-severity CVEs, with issues spanning authorization bypass, mass assignment, XSS, path traversal, and insecure defaults. Affected users should upgrade to the patched version immediately.
Mass Assignment and Authorization Flaws
The most severe issues involve mass assignment vulnerabilities. CVE-2026-54361 (High) describes multiple mass assignment flaws in collections, tag collections, event delegations, and shadow attributes, where attacker-supplied fields like id, org_id, and sharing_group_id were accepted instead of being server-controlled. CVE-2026-54360 (High) is a related mass assignment bug in the sharing group creation endpoint—supplying a primary key in the save data could cause a create() followed by save() operation to overwrite an existing sharing group. These mass assignment bugs allow privilege escalation and data tampering.
Authorization and Privilege Escalation
Several bugs allow users to exceed their intended permissions. CVE-2026-54398 (Medium) lets an authenticated user with object editing permissions assign objects or attributes to a sharing group they are not authorized to use. CVE-2026-54397 (Medium) targets the non-REST event editing path, where form data can be manipulated to set an event's sharing_group_id to an unauthorized group. CVE-2026-54358 (High) allows an organization administrator to target site administrator accounts within the same organization through the administrative email functionality—the access control restricted org admins to users in their own org but did not exclude higher-privileged accounts. Similarly, CVE-2026-54357 (Medium) lets an org admin access or modify user settings of site admin accounts in the same organization.
Cross-Site Scripting and Information Disclosure
CVE-2026-54395 (Medium) is a reflected XSS in the UiBeta event index view, where the urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo parameter can break out of the string context and execute arbitrary JavaScript. CVE-2026-54393 (Medium) is a stored XSS in the Overmind theme, where the setHomePage endpoint saved user-controlled path values through setSettingInternal(), bypassing validation that normally requires homepage paths to start with a /. CVE-2026-54396 (Medium) is an information disclosure bug in the AuthKey edit functionality—when a validation error occurs, the user dropdown is populated using the attacker-controlled user_id from the request, potentially leaking user data.
Path Traversal and Other Medium-Severity Issues
CVE-2026-54394 (Medium) is a path traversal in OrganisationsController::getOrgLogo, where file paths are built using organisation-controlled fields (id, name, uuid) without ensuring the resolved file stays inside the intended APP/files/img/orgs/ directory. CVE-2026-54362 (Medium) is an incorrect visibility condition in the event template builder that let non-site-admin users view galaxies that should not have been visible to their organisation.
Insecure Default Configuration
CVE-2026-54359 (High) highlights an insecure default: the Security.check_sec_fetch_site_header control is disabled by default. When disabled, state-changing requests (POST, PUT, AJAX) are not restricted based on the browser-provided Sec-Fetch-Site header, leaving the platform open to cross-site request forgery (CSRF)-style attacks by remote unauthenticated attackers.
Response and Patching
All twelve CVEs were addressed in a single security release by the MISP project. Users are strongly advised to upgrade to the latest version of MISP. No active exploitation in the wild has been reported at the time of disclosure.
This batch underscores recurring patterns in complex platforms like MISP: authorization scoping gaps, mass assignment where user input is trusted over server logic, and configuration defaults that weaken security posture. Platform administrators should prioritize reviewing their sharing group configurations and user privilege hierarchies alongside applying the patch.