VYPR
← All advisories
High severityNVD Advisory· Published Jun 12, 2026

CVE-2026-54361

CVE-2026-54361

Description

MISP authenticated mass assignment vulnerabilities allowed modification of protected fields in multiple controllers, fixed by pinning ownership fields.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MISP authenticated mass assignment vulnerabilities allowed modification of protected fields in multiple controllers, fixed by pinning ownership fields.

Vulnerability

MISP versions prior to the fix contain multiple mass assignment vulnerabilities in CollectionsController::edit(), EventDelegationsController::delegateEvent(), ShadowAttributesController::edit(), TagCollectionsController::edit(), and TagCollectionsController::editWithTags(). These endpoints accepted user-supplied fields such as id, org_id, orgc_id, and user_id which should have been server-controlled. An authenticated attacker could craft requests containing these fields to alter object ownership, redirect updates to different records, or overwrite existing delegations and shadow attributes [1].

Exploitation

An authenticated attacker with network access to the affected MISP endpoints can exploit these vulnerabilities without any user interaction. The attacker crafts HTTP requests that include protected fields (primary keys and ownership-related fields) in the request data. For example, in CollectionsController::edit(), injecting a different id directs the save to another collection, while org_id, orgc_id, and user_id fields change ownership. In EventDelegationsController::delegateEvent(), supplying an id turns a create operation into an update of an existing delegation request [1].

Impact

Successful exploitation allows unauthorized modification of MISP objects, including changing ownership (org, orgc, user) or overwriting records of other organizations. This could lead to unauthorized access to or transfer of sensitive threat intelligence data, depending on object visibility and sharing configuration [1].

Mitigation

The vulnerability is fixed by commit 9341690e9b6dde7f0605edea5533e05ba7362e35 [1], which explicitly pins identity and ownership fields to stored values during edit operations and removes user-supplied primary keys from create-only save paths. Affected users should update MISP to a version containing this commit. No workarounds are provided in the available reference [1].

References
  1. fix: [security] multiple mass assignment vulnerabilities fixed · MISP/MISP@9341690

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Misp/Mispreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

1
9341690e9b6d

fix: [security] multiple mass assignment vulnerabilities fixed

https://github.com/MISP/MISPiglocskaJun 11, 2026via nvd-ref
commit
4 files changed · +31 0
  • app/Controller/CollectionsController.php+12 0 modified
    @@ -98,6 +98,18 @@ public function edit($id)
                 }
             }
             $params = [
+                // Identity and ownership fields must never be reassigned through edit. The model only
+                // forces these on create (Collection::beforeValidate runs its ownership block only when
+                // the id is empty), and CRUDComponent::edit() copies every supplied field onto the loaded
+                // record. Without pinning them here a user could hand the collection to another org/user,
+                // or redirect the save onto a different collection via an injected id (mayModify only
+                // checked the id from the route). Force them back to the stored values.
+                'override' => [
+                    'id' => $oldCollection['Collection']['id'],
+                    'orgc_id' => $oldCollection['Collection']['orgc_id'],
+                    'org_id' => $oldCollection['Collection']['org_id'],
+                    'user_id' => $oldCollection['Collection']['user_id'],
+                ],
                 'afterSave' => function (array &$collection) use ($data) {
                     $collection = $this->Collection->CollectionElement->captureElements($collection);
                     return $collection;
  • app/Controller/EventDelegationsController.php+5 0 modified
    @@ -63,6 +63,11 @@ public function delegateEvent($id)
             $this->request->data['EventDelegation']['requester_org_id'] = $this->Auth->user('org_id');
             $org_id = $this->Toolbox->findIdByUuid($this->EventDelegation->Event->Org, $this->request->data['EventDelegation']['org_id']);
             $this->request->data['EventDelegation']['org_id'] = $org_id;
+            // Never allow an id to be supplied here: a primary key in the save data turns
+            // create() + save() into an update of an arbitrary existing delegation. The auth
+            // checks above only cover the event in the URL, so an injected id would let a user
+            // overwrite a delegation request belonging to another event/org.
+            unset($this->request->data['EventDelegation']['id']);
             $this->EventDelegation->create();
             $result = $this->EventDelegation->save($this->request->data['EventDelegation']);
             $org = $this->EventDelegation->Event->Org->find('first', array(
  • app/Controller/ShadowAttributesController.php+5 0 modified
    @@ -606,6 +606,11 @@ public function edit($id = null)
             }
             $this->request->data['ShadowAttribute']['org_id'] =  $this->Auth->user('org_id');
             $this->request->data['ShadowAttribute']['email'] = $this->Auth->user('email');
+            // The $id route param identifies the *attribute* being proposed against, not the proposal.
+            // A ShadowAttribute id in the request data would turn this save into an update of an
+            // arbitrary existing proposal (belonging to another org), so strip it: edit() only ever
+            // creates a new proposal. Mirrors the same guard in add().
+            unset($this->request->data['ShadowAttribute']['id']);
             if ($this->ShadowAttribute->save($this->request->data)) {
                 $emailResult = "";
                 if (!isset($this->request->data['ShadowAttribute']['deleted']) || !$this->request->data['ShadowAttribute']['deleted']) {
  • app/Controller/TagCollectionsController.php+9 0 modified
    @@ -168,6 +168,11 @@ public function edit($id)
             'beforeSave' => function (array $data) use ($tagCollection) {
                 $data['TagCollection']['id'] = $tagCollection['TagCollection']['id'];
                 $data['TagCollection']['uuid'] = $tagCollection['TagCollection']['uuid'];
+                // Ownership must never be reassigned through edit: it is only set on create, and
+                // CRUDComponent::edit() copies every supplied field, so pin org_id/user_id back to
+                // the stored values to prevent transferring the collection to another org/user.
+                $data['TagCollection']['org_id'] = $tagCollection['TagCollection']['org_id'];
+                $data['TagCollection']['user_id'] = $tagCollection['TagCollection']['user_id'];
                 return $data;
             }
         ];
@@ -201,6 +206,10 @@ public function editWithTags($id)
 
             $data['TagCollection']['id'] = $id;
             $data['TagCollection']['uuid'] = $tagCollection['TagCollection']['uuid'];
+            // Ownership must never be reassigned through edit; pin org_id/user_id back to the stored
+            // values so a supplied org_id/user_id cannot transfer the collection to another org/user.
+            $data['TagCollection']['org_id'] = $tagCollection['TagCollection']['org_id'];
+            $data['TagCollection']['user_id'] = $tagCollection['TagCollection']['user_id'];
 
             if (isset($data['TagCollection']['tags'])) {
                 $data['TagCollectionTag'] = [];

Vulnerability mechanics

Root cause

"Missing server-side enforcement of ownership and identity fields allowed user-supplied values to overwrite protected attributes during edit and create operations."

Attack vector

An authenticated attacker can craft HTTP requests to the affected MISP endpoints supplying protected fields (`id`, `orgc_id`, `org_id`, `user_id`) in the request body [ref_id=1]. In `EventDelegationsController::delegateEvent()` and `ShadowAttributesController::edit()` the injected primary key (`id`) turns a create operation into an update of an arbitrary existing record belonging to another organization. In `CollectionsController::edit()` and `TagCollectionsController::edit()`/`editWithTags()`, injected ownership fields let the attacker transfer a collection or tag collection to a different org or user. No user interaction is required; the attacker only needs valid authentication and network access to the platform.

Affected code

The vulnerabilities reside in `CollectionsController::edit()`, `EventDelegationsController::delegateEvent()`, `ShadowAttributesController::edit()`, and `TagCollectionsController::edit()` / `TagCollectionsController::editWithTags()` (patch_id=5749242). These controller actions accepted user-supplied fields such as `id`, `orgc_id`, `org_id`, and `user_id` that should have been server-controlled, allowing authenticated attackers to alter object ownership or redirect saves to unintended records.

What the fix does

The patch pins ownership and identity fields to their stored values before save. In `CollectionsController`, an `'override'` block forces `id`, `orgc_id`, `org_id`, and `user_id` back to the originally loaded record [patch_id=5749242]. In `TagCollectionsController::edit()` and `editWithTags()`, the `beforeSave` callback overwrites supplied `org_id`/`user_id` with the stored values. In `EventDelegationsController::delegateEvent()` and `ShadowAttributesController::edit()`, any user-supplied `id` is stripped via `unset()`, preventing a create-and-save from becoming an update of an arbitrary existing delegation or proposal.

Preconditions

  • authThe attacker must have a valid authenticated session on the MISP instance.
  • networkThe attacker must be able to reach the affected controller endpoints over HTTP/HTTPS.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.