CVE-2026-54359
Description
MISP's insecure default disables Sec-Fetch-Site header validation, enabling CSRF attacks on automation endpoints via crafted web pages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MISP's insecure default disables Sec-Fetch-Site header validation, enabling CSRF attacks on automation endpoints via crafted web pages.
Vulnerability
MISP versions prior to the fix have Security.check_sec_fetch_site_header disabled by default. This means that state-changing requests (POST, PUT, AJAX) are not restricted based on the browser-provided Sec-Fetch-Site header. The default value is false as seen in the commit [1]. This insecure default configuration allows cross-site request forgery attacks.
Exploitation
A remote unauthenticated attacker can craft a malicious web page that, when visited by an authenticated MISP user, issues cross-site requests to MISP automation endpoints. Since the Sec-Fetch-Site header check is disabled, the browser will send these requests without restrictions. The attacker does not need any special network position beyond hosting the malicious page. The user's browser will process the forged requests with the victim's session cookies.
Impact
Successful exploitation allows unauthorized modification of MISP data or configuration, operating with the privileges of the victim user. The attacker can perform state-changing operations such as creating, updating, or deleting data via the automation endpoints. The impact is limited to the permissions of the victim user.
Mitigation
Enable Security.check_sec_fetch_site_header in MISP's server configuration. The commit [1] adds a test function to warn admins about this setting. Operators of multi-homed MISP deployments should validate the setting before enforcing it, as it may block legitimate cross-origin requests. The fix was committed on the date of the CVE publication (2026-06-12). No workaround other than enabling the setting is mentioned.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1b82db1bcaa55chg: [security] warn admins of a dangerous default setting that should be hardened
1 file changed · +11 −4
app/Model/Server.php+11 −4 modified@@ -2257,6 +2257,14 @@ public function testForRPZBehaviour($value) return true; } + public function testSecFetchSiteHeader($value) + { + if (!empty($value)) { + return true; + } + return 'Sec-Fetch-Site header disabled. This can potentially open up the instance to CSRF attacks via automation endpoints. Enabling this is recommended but can actively prevent the operation of instances hosted under multiple addresses.'; + } + public function sightingsBeforeHook($setting, $value) { if ($value == true) { @@ -7151,9 +7159,8 @@ private function generateServerSettings() 'level' => 0, 'description' => __('If enabled, any POST, PUT or AJAX request will only be allowed when Sec-Fetch-Site header is not defined or contains "same-origin".'), 'value' => false, - 'test' => 'testBool', - 'type' => 'boolean', - 'null' => true, + 'test' => 'testSecFetchSiteHeader', + 'type' => 'boolean' ], 'force_https' => [ 'level' => self::SETTING_OPTIONAL, @@ -7499,7 +7506,7 @@ private function generateServerSettings() 'value' => '', 'test' => 'testForCookieTimeout', 'type' => 'numeric' - ) + ), ), 'Plugin' => array( 'branch' => 1,
Vulnerability mechanics
Root cause
"The default configuration disables validation of the Sec-Fetch-Site header, allowing cross-site requests to be processed as if they were same-origin."
Attack vector
A remote unauthenticated attacker can craft a malicious web page that, when visited by an authenticated MISP user, triggers cross-site requests to MISP automation endpoints (POST/PUT/AJAX). Because `Security.check_sec_fetch_site_header` is disabled by default, MISP does not verify the browser-provided `Sec-Fetch-Site` header, so the forged requests are accepted with the victim's privileges [ref_id=1]. This is a classic cross-site request forgery (CSRF) vector — [CWE-352]. Preconditions: the victim must be logged into MISP (auth), and the attacker must be able to lure the victim's browser (network).
Affected code
The patch modifies `app/Model/Server.php` in the `generateServerSettings()` method, changing the `Security.check_sec_fetch_site_header` setting from a simple `testBool` / `type` boolean (with `null` allowed) to use a new `testSecFetchSiteHeader` validation method. It also changes the default value to `false` (disabled). The new test function returns a warning message if the setting remains disabled.
What the fix does
The patch changes the `Security.check_sec_fetch_site_header` setting from a plain boolean (`testBool`, with `null` allowed) to use a custom `testSecFetchSiteHeader` validation function. That function returns a warning message if the setting is disabled (empty/false), alerting administrators to the CSRF risk. The setting's description states that enabling it restricts POST/PUT/AJAX requests to same-origin only, which closes the cross-site forgery vector [patch_id=5749244].
Preconditions
- authVictim must be authenticated to a MISP instance where Security.check_sec_fetch_site_header is disabled (the default).
- networkAttacker must be able to lure the victim's browser to a crafted page that sends cross-site requests to the MISP instance.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.