CVE-2026-10855
Description
MISP Event Template Importer authorization flaw allows users to overwrite templates from other organizations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MISP Event Template Importer authorization flaw allows users to overwrite templates from other organizations.
Vulnerability
An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked for the existence of a matching template but failed to verify that the importing user belonged to the organization that owned the existing template. This affected all versions of MISP prior to the fix [1].
Exploitation
An authenticated user with access to the template import functionality could initiate an overwrite import of an event template. The application would not prevent the overwrite if the template was owned by a different organization, provided the user was not a site administrator.
Impact
Successful exploitation could allow an unauthorized user to forcibly overwrite an event template owned by another organization. This could lead to the alteration of the template's structure, attributes, or metadata, potentially disrupting subsequent event creation or sharing workflows for that organization.
Mitigation
The issue was fixed by enforcing an ownership check before allowing an overwrite. Non-site-admin users can now only overwrite templates owned by their own organization. The fix was implemented in commit 7c2200d143bef86aaf58d701b6968a843097db69 [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
17c2200d143befix: [security] event template importer - check for ownership on overwrite forced imports
1 file changed · +3 −0
app/Lib/Tools/EventTemplateImporter.php+3 −0 modified@@ -110,6 +110,9 @@ public function import(array $payload, array $user, array $options = array()) ); if (!empty($existing) && $mode === 'overwrite') { + if ($user['org_id'] !== (int)$existing['EventTemplate']['org_id'] && !$user['Role']['perm_site_admin']) { + throw new MethodNotAllowedException('Cannot overwrite template owned by another org.'); + } $eventTemplate->id = (int)$existing['EventTemplate']['id']; $row['id'] = $eventTemplate->id; // preserve original ownership
Vulnerability mechanics
Root cause
"The event template importer did not verify user ownership before overwriting an existing template."
Attack vector
An authenticated user with access to the template import functionality could exploit this flaw. The application checked for an existing template but failed to verify if the importing user belonged to the same organization that owned the template. This allowed the user to overwrite an event template owned by a different organization, bypassing intended authorization controls [patch_id=4797172].
Affected code
The vulnerability resides within the `import` function in `app/Lib/Tools/EventTemplateImporter.php`. Specifically, the logic handling the overwrite mode when an existing template is found was modified to include the ownership check.
What the fix does
The patch enforces an ownership check before allowing a template overwrite. If the importing user is not a site administrator, the system now verifies that the user's organization ID matches the existing template's organization ID. If they do not match, an exception is thrown, preventing unauthorized overwrites [patch_id=4797172].
Preconditions
- authThe attacker must be an authenticated user.
- inputThe attacker must have access to the template import functionality.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- MISP: High-Severity Auth Bypass and Four Medium-Severity Flaws DisclosedVypr Intelligence · Jun 4, 2026