VYPR
← All advisories
Medium severityNVD Advisory· Published May 20, 2026

CVE-2026-9137

CVE-2026-9137

Description

The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MISP CSP report endpoint truncated at 1 MB instead of 1 KB, allowing large log entries and potential resource exhaustion.

Vulnerability

In MISP, the cspReport() method in ServersController was intended to limit Content Security Policy (CSP) report payloads to 1 KB before logging, but a typo in the comparison logic caused the limit to be set at 1 MB (1024 * 1024 bytes) instead of 1 KB (1024 bytes) [1]. As a result, CSP reports with bodies up to 1 MB could be logged without truncation. This affects deployments using MISP versions prior to the fix commit 02932cccab230b295afcaf5aa05e363d30db0ec9 where the CSP report endpoint is exposed to untrusted clients.

Exploitation

An attacker needs network access to the CSP report endpoint (typically /cspReport) and the ability to send HTTP POST requests with crafted CSP report payloads. No authentication or special privileges are required to reach this endpoint if it is publicly exposed. The attacker can send multiple requests with payloads up to 1 MB, each resulting in a log entry of nearly identical size. By sending a sustained stream of such requests, the attacker can rapidly fill the server's log storage.

Impact

Successful exploitation can cause excessive log volume, potentially leading to resource exhaustion (disk space, I/O bandwidth) and log flooding. This may degrade system performance, obscure legitimate log entries, or trigger operational disruptions if logging fills the filesystem. The vulnerability does not directly allow code execution or data exfiltration, but it impacts availability and can complicate incident response and monitoring.

Mitigation

The issue is fixed in MISP commit 02932cccab230b295afcaf5aa05e363d30db0ec9 [1], where the size comparison was corrected to 1024 bytes. Users should apply the latest update or patch to affected versions. As a workaround, deployments can restrict network access to the CSP report endpoint using firewall rules or authentication requirements, or monitor and rate-limit requests to that endpoint. No CISA KEV listing has been published as of the disclosure date.

References
  1. fix: [ServersController] correct CSP report size validation to 1KB · MISP/MISP@02932cc

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
02932cccab23

fix: [ServersController] correct CSP report size validation to 1KB

https://github.com/MISP/MISPSeth KraftMay 16, 2026via nvd-ref
commit
1 file changed · +2 2
  • app/Controller/ServersController.php+2 2 modified
    @@ -2330,8 +2330,8 @@ public function cspReport()
             $message .= ' from IP ' . $remoteIp;
         }
         $report = JsonTool::encode($report['csp-report'], true);
-        if (strlen($report) > 1024 * 1024) { // limit report to 1 kB
-            $report = substr($report, 0, 1024 * 1024) . '...';
+        if (strlen($report) > 1024) { // limit report to 1 kB
+            $report = substr($report, 0, 1024) . '...';
         }
         $this->log("$message: $report");

Vulnerability mechanics

Root cause

"Incorrect constant in size comparison and truncation: the CSP report endpoint used 1 MB (1024*1024) instead of the intended 1 KB (1024) limit."

Attack vector

An attacker sends a crafted CSP violation report to the `/cspReport` endpoint with a `csp-report` payload approaching 1 MB. The server logs the full payload before truncation, causing each request to write approximately 1 MB of log data. If the endpoint is exposed to untrusted clients, repeated requests can rapidly fill disk space or overwhelm log processing pipelines [CWE-400]. The only precondition is network access to the endpoint; no authentication is required.

Affected code

The vulnerability is in the `cspReport()` method of `app/Controller/ServersController.php`. The condition `strlen($report) > 1024 * 1024` and the corresponding `substr()` call both used 1 MB instead of the intended 1 KB, allowing oversized CSP reports to be logged at full size.

What the fix does

The patch changes both the condition and the truncation boundary from `1024 * 1024` (1 MB) to `1024` (1 KB) in `app/Controller/ServersController.php` [patch_id=876957]. This ensures that CSP reports larger than 1 KB are truncated before being written to the log, matching the original design intent documented in the comment. The fix closes the resource-exhaustion vector by reducing the maximum per-request log entry size by a factor of approximately 1000.

Preconditions

  • networkAttacker must be able to send HTTP POST requests to the CSP report endpoint
  • configThe CSP report endpoint must be reachable by untrusted clients (not firewalled or restricted)

Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.