CVE-2026-44381
Description
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. This vulnerability is fixed in 2.5.37.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A SQL injection vulnerability in MISP before 2.5.37 allows attackers with endpoint access to manipulate ordering parameters for unauthorized database access.
Vulnerability
In MISP versions prior to 2.5.37, the event and shadow attribute listing endpoints accepted user-controlled order or sort parameters and incorporated them directly into SQL ORDER BY clauses without sufficient validation. The affected code did not validate the requested field name against a whitelist of allowed model fields, enabling an attacker to inject arbitrary SQL via the ordering parameter [1].
Exploitation
An attacker with access to the affected endpoints (typically an authenticated user with permissions to view event or shadow attribute listings) can craft a malicious order or sort parameter. No additional user interaction is required; the injection occurs when the server processes the request and builds the SQL query [1].
Impact
Successful exploitation allows the attacker to manipulate the generated SQL query, potentially leading to unauthorized access to data, modification of query behavior, or other database-level impacts depending on the database user's permissions and query context [1].
Mitigation
The vulnerability is fixed in MISP version 2.5.37, released on 2026-05-13. The fix removes direct use of the user-supplied order parameter, validates requested ordering fields against allowed model fields or the model schema, and constructs the order clause using validated field names and normalized sort directions only [1]. No workarounds are documented; upgrading to the patched version is recommended.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/MISP/MISP/security/advisories/GHSA-4cxp-22wm-j6jrnvdVendor Advisory
News mentions
0No linked articles in our index yet.