VYPR
← All advisories
High severityNVD Advisory· Published Jun 12, 2026

CVE-2026-54360

CVE-2026-54360

Description

MISP sharing group creation endpoint is vulnerable to mass assignment, letting an authenticated user overwrite any existing sharing group by supplying its ID.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MISP sharing group creation endpoint is vulnerable to mass assignment, letting an authenticated user overwrite any existing sharing group by supplying its ID.

Vulnerability

CVE-2026-54360 is a mass assignment vulnerability in MISP’s sharing group creation endpoint (app/Controller/SharingGroupsController.php, add() action). When creating a new sharing group, the controller did not unset a user-supplied id field before saving the submitted data. In CakePHP, including a primary key in the save data causes a create() followed by save() operation to update an existing record instead of creating a new one. This affects all MISP versions prior to the commit 687e7cb530ae0e2faaadf5e3e44712258fb3ef1b [1].

Exploitation

An authenticated user who has permission to add sharing groups can exploit this by submitting a POST request to the sharing group creation endpoint that includes the id of an existing sharing group as part of the submitted data. The attacker does not need special edit permissions on the target sharing group; the mass assignment bypasses the normal access-control checks that would apply on the edit action. No additional user interaction is required beyond the initial submission [1].

Impact

A successful attack allows the authenticated user to modify (take over or alter) any sharing group in the MISP instance, even groups they should not have access to. This can lead to unauthorized changes to the group's configuration, membership, and shared data, affecting both the confidentiality and integrity of the information shared through those groups. The attacker effectively gains write access to arbitrary sharing groups, which may include groups containing sensitive intelligence or threat data [1].

Mitigation

The fix is contained in commit 687e7cb530ae0e2faaadf5e3e44712258fb3ef1b, which adds an unset() call on the id field before saving in the add() action. MISP administrators should update to a version that includes this commit as soon as possible. No workaround is detailed in the available reference [1]. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. fix: [security] sharing groups mass assignment fix in add · MISP/MISP@687e7cb

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Misp/Mispreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

1
687e7cb530ae

fix: [security] sharing groups mass assignment fix in add

https://github.com/MISP/MISPiglocskaJun 11, 2026via nvd-ref
commit
1 file changed · +4 0
  • app/Controller/SharingGroupsController.php+4 0 modified
    @@ -78,6 +78,10 @@ public function add()
                 }
             }
             $this->SharingGroup->create();
+            // Never allow an id to be supplied on add: a primary key in the save data turns
+            // create() + save() into an update of an arbitrary existing sharing group, bypassing
+            // the edit ACL and letting a user take over a SG they have no access to.
+            unset($sg['id']);
             if (!$canModifyUuid) {
                 unset($sg['uuid']);
             }

Vulnerability mechanics

Root cause

"Missing input sanitization of the `id` field in the sharing group add action allows a mass-assignment attack that turns a record creation into an unauthorized update."

Attack vector

An authenticated user with permission to add sharing groups sends a POST request to the `add()` endpoint with a crafted payload that includes the `id` field set to an existing sharing group's identifier [ref_id=1]. The controller does not `unset()` the user-supplied `id`, so CakePHP's ORM treats the operation as an update of that existing sharing group instead of creating a new one. Because the update flows through `add()` rather than `edit()`, the normal edit access-control checks are never performed [patch_id=5749243]. This allows the attacker to modify or take over any sharing group they do not own.

Affected code

The `add()` action in `app/Controller/SharingGroupsController.php` did not strip a user-supplied `id` field from the submitted data before calling `save()`. In CakePHP, a primary key in the save data converts the intended `create()` + `save()` into an **update** of an existing record, bypassing the normal edit access-control checks on the `edit()` action [ref_id=1][patch_id=5749243].

What the fix does

The patch adds a single line — `unset($sg['id'])` — immediately after `$this->SharingGroup->create()` and before the save operation [patch_id=5749243]. This removes any `id` key that an attacker might have injected into the submitted data. Without an `id` in the data array, CakePHP's ORM will always insert a new record as originally intended, and cannot silently redirect the operation into an update of an arbitrary existing sharing group [ref_id=1].

Preconditions

  • authThe attacker must be an authenticated MISP user with the permission to add sharing groups.
  • inputThe attacker must know or guess the ID of an existing sharing group they do not own.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.