CVE-2026-54358
Description
MISP allows org admins to target site admin accounts in the same org for password reset, enabling privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MISP allows org admins to target site admin accounts in the same org for password reset, enabling privilege escalation.
Vulnerability
An incorrect authorization vulnerability exists in MISP allowing organization administrators to target site administrator accounts within the same organization through the administrative email functionality. The affected code restricted recipient queries to users within the same organization but failed to exclude site administrator roles. This flaw affects MISP versions prior to the commit that introduced a check filtering out site admin role IDs from the recipient list, specifically in the admin_email and related functions [1].
Exploitation
An attacker must be authenticated as an organization administrator in the same organization as a site administrator account. By using the administrative email functionality, the attacker can include the site admin account in recipient queries, enabling actions such as initiating a password reset workflow against the higher-privileged account [1].
Impact
Successful exploitation allows an authenticated organization administrator to interfere with or potentially take over a site administrator account. This results in privilege escalation to site administrator, leading to full compromise of the MISP instance's confidentiality, integrity, and availability [1].
Mitigation
The fix is implemented in commit 146795489abef478c8f595ecde2501c32482b81e, which adds a check to exclude site admin role IDs from recipient queries when the current user is not a site admin [1]. Users should update to a version containing this commit. No workaround is documented in the provided references.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1146795489abefix: [security] site admin e-mail reset by same org org admin blocked
1 file changed · +10 −0
app/Controller/UsersController.php+10 −0 modified@@ -1669,9 +1669,16 @@ public function admin_quickEmail($user_id) public function admin_email($isPreview=false) { + // An org admin must not be able to target a site admin (e.g. to reset + // their password) even one within their own organisation, so exclude + // site admin roles from every recipient query below. + $siteAdminRoleIds = $this->_isSiteAdmin() ? array() : $this->User->getSiteAdminRoleIds(); $conditionsAllowedOrgs = array(); if (!$this->_isSiteAdmin()) { $conditionsAllowedOrgs = array('org_id' => $this->Auth->user('org_id')); + if (!empty($siteAdminRoleIds)) { + $conditionsAllowedOrgs['NOT'] = array('User.role_id' => $siteAdminRoleIds); + } } $conditionsAllowedOrgs['User.disabled'] = 0; $temp = $this->User->find('all', array('recursive' => -1, 'fields' => array('id', 'email', 'Organisation.name'), 'order' => array('email ASC'), 'conditions' => $conditionsAllowedOrgs, 'contain' => array('Organisation'))); @@ -1687,6 +1694,9 @@ public function admin_email($isPreview=false) $conditions = array(); if (!$this->_isSiteAdmin()) { $conditions = array('org_id' => $this->Auth->user('org_id')); + if (!empty($siteAdminRoleIds)) { + $conditions['NOT'] = array('User.role_id' => $siteAdminRoleIds); + } } // harvest parameters
Vulnerability mechanics
Root cause
"Insufficient role-based authorization filtering allowed an organization administrator to select site administrator accounts as recipients in the administrative email workflow."
Attack vector
An authenticated organization administrator uses the administrative email functionality (`admin_email` or `admin_quickEmail`) to select a site administrator account that belongs to the same organization [ref_id=1]. Because the original code only restricted the query by `org_id` without excluding site admin role IDs, the attacker can initiate privileged account-management actions — such as a password reset workflow — against the higher-privileged site admin. This results in privilege escalation and potential takeover of the site administrator account, compromising the entire MISP instance's confidentiality, integrity, and availability.
Affected code
`app/Controller/UsersController.php`, in the `admin_email()` and `admin_quickEmail()` methods [patch_id=5749245]. The organization administrator's recipient query filtered by `org_id` but did not exclude users with a site administrator role, allowing an org admin to target site admin accounts in the same organization.
What the fix does
The patch in `app/Controller/UsersController.php` retrieves the site administrator role IDs via `$this->User->getSiteAdminRoleIds()` only when the current user is not already a site administrator [patch_id=5749245]. It then adds a `NOT` condition on `User.role_id` to both `$conditionsAllowedOrgs` and `$conditions` arrays, ensuring that organization administrators never see or act upon site administrator accounts even when those accounts belong to the same organization. This closes the authorization gap that previously allowed an org admin to select a same-org site admin as a recipient, preventing the privilege escalation path.
Preconditions
- authThe attacker must be authenticated as an organization administrator in MISP.
- configA site administrator account must belong to the same organization as the attacker.
- inputThe attacker must have access to the administrative email functionality (`admin_email` or `admin_quickEmail`).
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.