Medium severityNVD Advisory· Published May 20, 2026· Updated May 20, 2026

CVE-2026-9084

Description

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MISP's OIDC authentication plugin allowed account takeover by linking OIDC identity to existing local user via email claim when insecure IdP configurations are used.

Vulnerability

The OIDC authentication plugin in MISP versions prior to commit 71f5662 allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted Identity Provider (IdP) configurations where email ownership is not enforced, an attacker could assert a victim's email address via a valid OIDC token and authenticate as that user. The fix introduces two new configuration options: OidcAuth.allow_email_linking (default false) and OidcAuth.require_email_verified (default true), which prevent automatic linking unless explicitly enabled with appropriate trust assumptions [1].

Exploitation

An attacker requires a valid OIDC token from an IdP that does not enforce email ownership (e.g., allows registering an email without verification). The attacker's token contains the victim's email in the email claim. When the attacker authenticates via OIDC, MISP first attempts to find a user by the token's sub claim (not found). It then searches by the email claim and finds the victim's local account that has a NULL sub value. Without the new configuration guards, MISP links the OIDC identity to that account, granting the attacker access as the victim [1].

Impact

Successful exploitation results in account takeover. The attacker gains the full privileges of the victim's MISP account, including access to all data, events, and configurations associated with that user. This could lead to unauthorized information disclosure, data manipulation, or further compromise within the MISP instance [1].

Mitigation

A fix is available in commit 71f5662, released on 2026-05-20. Users should upgrade to a version containing this commit. If upgrading is not immediately possible, administrators can mitigate by ensuring the configuration options OidcAuth.allow_email_linking is set to false (the default) and OidcAuth.require_email_verified is set to true (the default). Additionally, the IdP should be reviewed to enforce email ownership and verification before issuing tokens [1].

References

fix: [security] OIDC authentication bypass under certain insecure IdP… · MISP/MISP@71f5662

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Misp/Mispreferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)

Patches

71f5662c1b58

fix: [security] OIDC authentication bypass under certain insecure IdP configurations via automatic email account linking. Discovered by Ali Ganiyev (independent researcher).

https://github.com/MISP/MISPLuciano RighettiMay 20, 2026via nvd-ref

commit

2 files changed · +25 −3

app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php+2 −0 modified

@@ -22,6 +22,8 @@
  *  - OidcAuth.mixedAuth (boolean, default: false) - if enabled, MISP will not automatically redirect to SSO portal and allow other authentication methods
  *  - OidcAuth.disable_request_object (boolean, default: false) Disable the Request Object approach in authorization requests, allowing users to fallback to plain parameters when needed for compatibility with certain OpenID Connect providers.
  *  - OidcAuth.skipProxy (boolean, default: true) - if enabled, MISP will disable global proxy settings for OIDC requests
+ *  - OidcAuth.allow_email_linking (boolean, default: false) - allow OIDC to link to an existing local user (sub IS NULL) by matching the `email` claim. Off by default; enable only when the IdP is trusted to assert ownership of the email claim, otherwise a token holder may take over any local account sharing the email.
+ *  - OidcAuth.require_email_verified (boolean, default: true) - when linking is allowed, also require the token's `email_verified` claim to be true. Disable only on IdPs that do not issue the claim and where ownership of the email is enforced by other means.
  */
 class OidcAuthenticate extends BaseAuthenticate
 {

app/Plugin/OidcAuth/Lib/Oidc.php+23 −3 modified

@@ -42,9 +42,29 @@ public function authenticate(array $settings)
 
         if (!$user) { // User by sub not found, try to find by email
             $user = $this->_findUser($settings, ['User.email' => $mispUsername]);
-            if ($user && $user['sub'] !== null && $user['sub'] !== $sub) {
-                $this->log($mispUsername, "User sub doesn't match ({$user['sub']} != $sub), could not login.", LOG_ERR);
-                return false;
+            if ($user) {
+                if ($user['sub'] !== null && $user['sub'] !== $sub) {
+                    $this->log($mispUsername, "User sub doesn't match ({$user['sub']} != $sub), could not login.", LOG_ERR);
+                    return false;
+                }
+                if ($user['sub'] === null) {
+                    $allowLink = (bool)$this->getConfig('allow_email_linking', false, false);
+                    $requireVerified = (bool)$this->getConfig('require_email_verified', true, false);
+                    $rawEmailVerified = $claims->email_verified ?? null;
+                    $isVerified = ($rawEmailVerified === true || $rawEmailVerified === 'true');
+                    if (!$allowLink || ($requireVerified && !$isVerified)) {
+                        $this->log(
+                            $mispUsername,
+                            "Refusing to link OIDC identity to existing user with NULL sub " .
+                            "(allow_email_linking=" . var_export($allowLink, true) .
+                            ", require_email_verified=" . var_export($requireVerified, true) .
+                            ", email_verified=" . var_export($rawEmailVerified, true) . "). " .
+                            "Set OidcAuth.allow_email_linking=true to permit migration; the IdP must also issue email_verified=true unless OidcAuth.require_email_verified is set to false.",
+                            LOG_ERR
+                        );
+                        return false;
+                    }
+                }
             }
         }

Vulnerability mechanics

Root cause

"Missing access control on automatic OIDC-to-local account linking allowed a token holder to bind their identity to any local user whose email matched the token's email claim, without verifying email ownership."

Attack vector

An attacker obtains a valid OIDC token from an IdP that does not enforce email ownership (e.g., allows self-asserted email claims or does not verify email_verified). The attacker sets the email claim to the victim's email address. When MISP processes the token, the OIDC plugin finds no existing sub match but locates a local user with that email whose sub field is NULL. Under the pre-patch code, the plugin automatically links the OIDC identity to that local account and logs the attacker in, achieving account takeover [CWE-287]. The attack requires the IdP to be untrusted or misconfigured and the victim's local account to have no previously stored sub value.

Affected code

The vulnerability resides in `app/Plugin/OidcAuth/Lib/Oidc.php` in the `authenticate()` method. When no user is found by the `sub` claim, the code falls back to looking up a local user by email. The pre-patch logic only checked whether an existing user's sub mismatched; it did not gate the linking path when the local user's sub was NULL. The companion file `app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php` was updated to document the new configuration options.

What the fix does

The patch introduces two new configuration flags — `allow_email_linking` (default false) and `require_email_verified` (default true) — that gate the automatic linking path [patch_id=854179]. When a local user with a matching email has a NULL sub, the code now checks whether linking is explicitly permitted and, if so, whether the token's `email_verified` claim is true. If either check fails, authentication is refused and a detailed log entry is written. This closes the bypass by ensuring that automatic email-based linking only occurs under administrator-controlled, explicit opt-in and, by default, requires proof of email ownership from the IdP.

Preconditions

configThe victim's local MISP account must have a NULL sub field (i.e., never previously linked to an OIDC identity).
inputThe attacker must possess a valid OIDC token whose email claim matches the victim's email address.
configThe IdP must not enforce email ownership (e.g., allows arbitrary email claims or does not set email_verified to true).

Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000