VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 13, 2026· Updated May 15, 2026

CVE-2026-44379

CVE-2026-44379

Description

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues or unexpected behaviour in code paths that assume Collection UUIDs are valid identifiers. This vulnerability is fixed in 2.5.37.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MISP Collections prior to 2.5.37 lacked RFC 4122 UUID validation, allowing users to submit malformed UUIDs and cause integrity issues.

Vulnerability

Overview

MISP Collections prior to version 2.5.37 did not enforce RFC 4122 UUID validation on the uuid field. The Collection model lacked a validation rule for the UUID format, meaning any string could be accepted as a valid UUID. This oversight allowed users with permission to create or modify Collection records to submit malformed or arbitrary UUID values [1][2].

Exploitation

Prerequisites

An attacker must have the ability to create or edit Collection records within MISP. No special network position or authentication bypass is required; standard user privileges for managing collections are sufficient. The vulnerability is triggered by supplying a non-conforming UUID string (e.g., an arbitrary string or an improperly formatted UUID) in the uuid field during record creation or update [2].

Impact

Because downstream code paths assume that Collection UUIDs are valid RFC 4122 identifiers, malformed UUIDs can cause integrity issues and unexpected behavior. This may lead to data corruption, broken references, or logic errors in features that rely on UUID uniqueness or format. The vulnerability does not directly enable remote code execution or privilege escalation, but it undermines data consistency and reliability [1][2].

Mitigation

The issue is fixed in MISP version 2.5.37. The fix adds model-level validation to the Collection model, requiring the uuid field to match a valid RFC 4122 UUID before acceptance. The commit f8b20358c3cd8fd3d784452901876f2db0acbf05 implements this change [1]. Users should upgrade to MISP 2.5.37 or later to remediate the vulnerability [2].

References
  1. fix: [security] UUID field validation added to collections · MISP/MISP@f8b2035
  2. Improper UUID validation in MISP Collections

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
f8b20358c3cd

fix: [security] UUID field validation added to collections

https://github.com/MISP/MISPiglocskaApr 28, 2026via nvd-ref
commit
1 file changed · +7 0
  • app/Model/Collection.php+7 0 modified
    @@ -69,6 +69,13 @@ class Collection extends AppModel
 
     public $current_user = null;
 
+    public $validate = [
+        'uuid' => [
+            'rule' => 'uuid',
+            'message' => 'Please provide a valid RFC 4122 UUID',
+        ]
+    ];
+
 
     public function beforeValidate($options = array())
     {

Vulnerability mechanics

Root cause

"Missing input validation on the uuid field in MISP Collections allows malformed UUID values to be stored."

Attack vector

An attacker with the ability to create or modify Collection records can submit arbitrary, non-RFC 4122 compliant values in the uuid field [CWE-20]. The vulnerability is exploitable over the network without authentication (per CVSS: AV:N/AC:L/PR:N). By sending a crafted request containing a malformed UUID string, the attacker bypasses validation that was absent prior to the patch, potentially causing integrity issues or unexpected behavior in downstream code paths that assume Collection UUIDs are valid identifiers.

Affected code

The vulnerable code is in `app/Model/Collection.php` [patch_id=371253]. Prior to the patch, the `Collection` model lacked a `$validate` array for the `uuid` field, meaning no RFC 4122 UUID validation was enforced when creating or updating Collection records. The patch adds a validation rule that uses CakePHP's built-in `uuid` rule to reject malformed UUID values.

What the fix does

The patch adds a `$validate` array to the `Collection` model in `app/Model/Collection.php` [patch_id=371253]. This array declares a validation rule for the `uuid` field that enforces RFC 4122 UUID format via CakePHP's built-in `uuid` rule. If validation fails, the error message "Please provide a valid RFC 4122 UUID" is returned, preventing malformed UUIDs from being saved to the database. This closes the vulnerability by ensuring only properly formatted UUIDs are accepted.

Preconditions

  • authThe attacker must be able to create or modify Collection records in MISP.
  • networkThe attacker must have network access to the MISP instance.
  • inputThe attacker must submit a request with a malformed (non-RFC 4122) uuid value.

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.