CVE-2026-54362
Description
MISP event template builder's incorrect access control exposes private galaxy metadata to authenticated non-site-admin users due to a PHP comparison used instead of a query condition.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MISP event template builder's incorrect access control exposes private galaxy metadata to authenticated non-site-admin users due to a PHP comparison used instead of a query condition.
Vulnerability
An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The bug lives in the __setBuilderConfig() method of the EventTemplatesController, specifically in a custom access-control condition that used a PHP comparison expression ('Galaxy.distribution' > 0) instead of a proper query condition. This caused the find() operation to return all enabled galaxies, including organisation-only custom galaxies (distribution 0) belonging to other organisations. The issue affects MISP versions prior to the commit that introduced the fix (8aa2bb6). References [1].
Exploitation
An attacker needs only a valid non-site-admin user account (any organisation role) with access to the event template builder. The attacker navigates to the template builder interface and loads the list of available galaxies. Due to the flawed condition, the list includes galaxies that are marked as organisation-only for other organisations. The attacker can then see the names and metadata of those private galaxy definitions. No further permissions or special timing is required.
Impact
Successful exploitation results in the disclosure of metadata about private galaxy definitions belonging to other organisations. While this does not allow modification of data or direct code execution, it leaks sensitive information about custom galaxy structures that may be intended to remain internal (e.g., threat intel context, classification hints). The confidentiality of such custom galaxy definitions is compromised.
Mitigation
The fix is contained in commit 8aa2bb6 (git commit reference [1]), which replaces the manual condition with the canonical buildConditions() method. Users should upgrade MISP to a version that includes this commit (any release after the commit date). If an immediate upgrade is not possible, administrators may restrict access to the event template builder feature as a temporary workaround. No KEV listing is known at this time.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
18aa2bb6d1af6fix: [security] exposing non visible galaxies for template creation
1 file changed · +5 −10
app/Controller/EventTemplatesController.php+5 −10 modified@@ -1010,21 +1010,16 @@ private function __setBuilderConfig() ); } $this->set('taxonomiesAvailable', $taxonomies); - $orgCondition = $this->_isSiteAdmin() - ? array() - : array( - 'OR' => array( - 'Galaxy.org_id' => (int)$this->Auth->user('org_id'), - 'Galaxy.distribution' > 0, - ), - ); - $this->loadModel('Galaxy'); $galaxyRows = $this->Galaxy->find('all', array( 'recursive' => -1, 'conditions' => array( 'Galaxy.enabled' => true, - $orgCondition, + // Use the canonical galaxy visibility filter. The previous hand-rolled condition + // `'Galaxy.distribution' > 0` was a PHP comparison (always evaluating to true), not a + // query condition, so every org's galaxies - including org-only (distribution 0) custom + // galaxies belonging to other orgs - leaked into the template builder list. + $this->Galaxy->buildConditions($this->Auth->user()), ), 'fields' => array( 'Galaxy.type',
Vulnerability mechanics
Root cause
"A PHP comparison expression (`'Galaxy.distribution' > 0`) was used as a query condition, always evaluating to true instead of filtering galaxies by organisation visibility."
Attack vector
An authenticated user who is not a site-admin navigates to the MISP event template builder. The `__setBuilderConfig()` method previously deployed a hand-rolled access-control condition that used a PHP comparison expression (`'Galaxy.distribution' > 0`) instead of a proper query condition [patch_id=5750825]. Because that expression always evaluated to true, the query returned all enabled galaxies — including organisation-only (distribution 0) custom galaxies belonging to other organisations — and rendered them in the galaxy-selection list. An attacker can therefore browse or select galaxies that should be hidden from their organisation, potentially learning about private galaxy definitions.
What the fix does
The patch removes the manual `$orgCondition` block that used a PHP comparison (`'Galaxy.distribution' > 0`) — a boolean expression that always returned true, defeating the intended visibility filter [patch_id=5750825]. It replaces that fragment with a call to `$this->Galaxy->buildConditions($this->Auth->user())`, which is the framework's canonical method for building organisation-aware visibility conditions. This ensures that only galaxies owned by the user's organisation or shared with a distribution level wider than the organisation are returned, closing the information disclosure.
Preconditions
- authThe attacker must be an authenticated MISP user without the site-admin role.
- inputThe attacker must have access to the Event Template Builder page.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.