VYPR
patchPublished Jun 22, 2026· Updated Jul 1, 2026· 1 source

MISP: Five Vulnerabilities Including RCE and Access Control Flaws Disclosed Together

Key findings • Two critical RCE vulnerabilities in MISP allow authenticated administrators to execute arbitrary code. • Three broken access control and mass assignment flaws enable unauthoriz…

Key findings

  • Two critical RCE vulnerabilities in MISP allow authenticated administrators to execute arbitrary code.
  • Three broken access control and mass assignment flaws enable unauthorized data modification and deletion.
  • All five vulnerabilities were disclosed together on June 22, 2026, requiring urgent patching.
  • Exploitation could lead to full system compromise and data integrity breaches.

On June 22, 2026, a batch of five vulnerabilities was disclosed for MISP (Malware Information Sharing Platform), a threat intelligence platform. The vulnerabilities, disclosed within a one-hour window, include critical remote code execution (RCE) flaws and broken access control issues that could allow unauthorized data modification or deletion. These disclosures highlight significant security concerns for organizations relying on MISP for managing and sharing threat data.

Two of the disclosed vulnerabilities (CVE-2026-56447 and CVE-2026-56446) are particularly severe, both leading to authenticated remote code execution. CVE-2026-56447 stems from MISP allowing an authenticated site administrator to specify an arbitrary filesystem path for rdkafka configuration. A crafted configuration file could then be used to load arbitrary libraries, enabling code execution. Similarly, CVE-2026-56446 allowed an authenticated site administrator to set an arbitrary filesystem path for the NDJSON error log. By directing log output to a web-accessible PHP file, an attacker could inject malicious code.

The remaining three vulnerabilities (CVE-2026-56424, CVE-2026-56423, and CVE-2026-56422) are related to broken access control and mass assignment. CVE-2026-56424 and CVE-2026-56423 detail how authorization checks were either performed against the wrong entity or were missing entirely in write paths and bulk deletion endpoints, respectively. This allowed lower-privileged authenticated users to modify or delete data across organizations, including analyst data, event reports, collections, templates, and sharing groups. CVE-2026-56422 addresses mass assignment vulnerabilities where unvalidated request fields, including primary keys and ownership identifiers, could be manipulated by clients without proper validation, potentially leading to object re-ownership or unauthorized modifications.

The impact of these vulnerabilities is significant, particularly for organizations using MISP to manage sensitive threat intelligence. The RCE flaws could allow attackers to gain full control over the MISP instance, while the access control issues could lead to data integrity breaches and unauthorized data manipulation. Users are strongly advised to update their MISP instances to the latest version to mitigate these risks. Further details and specific version information can be found in the official MISP security advisories.

This coordinated disclosure of multiple critical vulnerabilities underscores the importance of timely patching and security audits for critical infrastructure components like MISP. Organizations should prioritize applying security updates and reviewing their access control configurations to prevent potential exploitation.

The disclosed vulnerabilities are:

  • CVE-2026-56447: Remote code execution via arbitrary rdkafka configuration path.
  • CVE-2026-56446: Authenticated remote code execution via arbitrary NDJSON error log path.
  • CVE-2026-56424: Broken access control allowing cross-organization unauthorized modification or deletion of data.
  • CVE-2026-56423: Broken access control allowing instance-wide unauthorized deletion of event reports and sharing groups.
  • CVE-2026-56422: Mass assignment and object re-ownership via unvalidated request fields.

It is crucial for all MISP administrators to review these vulnerabilities and apply the necessary patches immediately. The MISP project typically releases security updates promptly, and users should consult the official MISP security advisories for the most up-to-date information on affected versions and remediation steps.

The coordinated disclosure of these five vulnerabilities on June 22, 2026, highlights a critical security posture for the MISP platform. The presence of multiple RCE and access control flaws within a single disclosure event warrants immediate attention from all users. Organizations should treat this as a high-priority update to safeguard their threat intelligence data and prevent potential system compromise.

The batch of vulnerabilities disclosed on June 22, 2026, for MISP includes critical remote code execution and broken access control flaws. The RCE vulnerabilities (CVE-2026-56447, CVE-2026-56446) allow authenticated administrators to execute arbitrary code by manipulating configuration paths for Kafka and error logging, respectively. Additionally, several access control vulnerabilities (CVE-2026-56424, CVE-2026-56423, CVE-2026-56422) permit unauthorized data modification, deletion, and object re-ownership due to insufficient authorization checks and mass assignment flaws.

The tight clustering of these vulnerabilities, all disclosed on the same day, suggests a significant security audit or a single development cycle's findings. MISP users are urged to apply patches promptly to address these critical security weaknesses and protect the integrity and confidentiality of their threat intelligence data.

The vulnerabilities disclosed for MISP on June 22, 2026, include two critical remote code execution (RCE) flaws and three severe broken access control issues. CVE-2026-56447 and CVE-2026-56446 enable authenticated administrators to achieve RCE by exploiting arbitrary file path configurations for rdkafka and NDJSON error logs, respectively. The access control vulnerabilities, CVE-2026-56424, CVE-2026-56423, and CVE-2026-56422, allow unauthorized data manipulation, deletion, and object re-ownership due to inadequate authorization checks and mass assignment vulnerabilities.

This coordinated disclosure of five vulnerabilities within a short timeframe emphasizes the need for immediate patching of MISP instances. Users should consult official MISP security advisories for detailed remediation steps and ensure their systems are updated to prevent exploitation of these critical security flaws.

The MISP platform experienced a coordinated disclosure of five vulnerabilities on June 22, 2026. Two critical RCE vulnerabilities, CVE-2026-56447 and CVE-2026-56446, allow authenticated users to execute arbitrary code through misconfigurations of rdkafka and error logging paths. Three other vulnerabilities, CVE-2026-56424, CVE-2026-56423, and CVE-2026-56422, stem from broken access control and mass assignment flaws, enabling unauthorized data modification, deletion, and object re-ownership.

This batch of vulnerabilities requires immediate attention from MISP administrators. Promptly applying security updates is essential to protect against potential compromise and maintain the integrity of threat intelligence data.

On June 22, 2026, a significant security event impacted the MISP platform with the coordinated disclosure of five vulnerabilities. Two of these vulnerabilities, CVE-2026-56447 and CVE-2026-56446, are critical remote code execution (RCE) flaws that can be triggered by authenticated site administrators through manipulation of rdkafka configuration paths and NDJSON error log paths, respectively. The remaining three vulnerabilities, CVE-2026-56424, CVE-2026-56423, and CVE-2026-56422, are related to broken access control and mass assignment, allowing for unauthorized cross-organization data modification or deletion and object re-ownership.

This concentrated release of vulnerabilities underscores the importance of maintaining up-to-date MISP instances. Users are strongly advised to consult official MISP security advisories and apply all relevant patches without delay to mitigate these risks.

Synthesized by Vypr AI