CVE-2026-54397
Description
MISP non-REST event edit path missing sharing group authorization check allows authenticated editors to assign events to unauthorized sharing groups, leaking group names and modifying distribution metadata.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MISP non-REST event edit path missing sharing group authorization check allows authenticated editors to assign events to unauthorized sharing groups, leaking group names and modifying distribution metadata.
Vulnerability
The non-REST event editing path in MISP (vulnerable versions prior to commit 609ff6c) fails to validate that a user changing an event's sharing_group_id is authorized to use the selected sharing group when distribution is set to 4 (sharing group). The REST path enforces this check via Event::_edit(), but the non-REST save path writes sharing_group_id directly from the submitted form without authorization [1]. Affected versions include all MISP releases before the fix.
Exploitation
An authenticated user with event edit permissions can tamper with the HTTP form data during a non-REST event edit request, setting the distribution field to 4 and providing a sharing_group_id value corresponding to a sharing group they do not have access to. No special network position or additional user interaction beyond normal editing is required [1].
Impact
Successful exploitation allows the attacker to assign an event to an undisclosed or unauthorized sharing group, resulting in disclosure of the sharing group's name in event listings and unintended modification of the event's distribution metadata. The attacker gains unauthorized use of restricted sharing groups [1].
Mitigation
The issue is fixed in MISP commit 609ff6c, which adds a check using SharingGroup::checkIfCanBeUsed() for the user when the sharing group is changed, and clears sharing_group_id when distribution is not set to sharing group. Users should update to the latest MISP version containing this commit [1].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1609ff6c785d7fix: [security] sharing groups assign data to sharing groups that are undisclosed
1 file changed · +17 −0
app/Controller/EventsController.php+17 −0 modified@@ -4011,6 +4011,23 @@ public function edit($id = null) // say what fields are to be updated $fieldList = array('date', 'threat_level_id', 'analysis', 'info', 'published', 'distribution', 'timestamp', 'sharing_group_id', 'extends_uuid'); + // If the distribution is set to a sharing group, validate that the user is actually allowed + // to use the chosen SG. The REST path enforces this via Event::_edit(), but the non-REST save + // below writes sharing_group_id straight from the submitted form, so without this guard an + // editor could tamper with the form to pick a sharing group they have no access to (leaking + // its name on the event index). Keeping the event's existing SG unchanged stays allowed. + if (isset($this->request->data['Event']['distribution']) && $this->request->data['Event']['distribution'] == 4) { + if (($this->request->data['Event']['sharing_group_id'] ?? 0) != $event['Event']['sharing_group_id']) { + $canSGBeUsed = $this->Event->SharingGroup->checkIfCanBeUsed($this->Auth->user(), $this->_isRest(), $this->request->data, 'Event'); + if ($canSGBeUsed !== true) { + throw new MethodNotAllowedException($canSGBeUsed); + } + } + } else if (isset($this->request->data['Event']['distribution'])) { + // A non-sharing-group distribution must not carry a sharing group id. + $this->request->data['Event']['sharing_group_id'] = 0; + } + // always force the org, but do not force it for admins if (!$this->_isSiteAdmin()) { // set the same org as existed before
Vulnerability mechanics
Root cause
"Missing authorization check for sharing_group_id in the non-REST event edit path allows an editor to assign an event to a sharing group they are not permitted to use."
Attack vector
An authenticated user with event edit permissions can tamper with the submitted form data when editing an event via the non-REST path, setting `distribution` to 4 (sharing group distribution) and choosing a `sharing_group_id` they are not authorized to use. The server accepts this value without checking that the user has access to the chosen sharing group, unlike the REST edit path which performs this validation [ref_id=1]. This could leak the sharing group's name on the event index and allow unauthorized use of restricted sharing groups.
Affected code
The vulnerability is in `app/Controller/EventsController.php`, specifically in the `edit()` function's non-REST save path. The controller writes `sharing_group_id` directly from submitted form data without validating that the user is authorized to use the selected sharing group [patch_id=5750820].
What the fix does
The patch adds two guards in the non-REST `edit()` method. First, when distribution is set to sharing group distribution (value 4) and the `sharing_group_id` differs from the event's current value, it calls `SharingGroup::checkIfCanBeUsed()` to verify the user is authorized; if not, a `MethodNotAllowedException` is thrown. Second, when distribution is not set to sharing group distribution, it explicitly clears `sharing_group_id` to zero, preventing stale or tampered sharing group values from persisting [patch_id=5750820].
Preconditions
- authMust be an authenticated user with event edit permissions.
- inputThe user must submit a non-REST (form-based) event edit request.
- inputThe submitted form must include distribution=4 and a sharing_group_id the attacker is not authorized to use.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.