CVE-2026-54360— MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups
Possible ATT&CK Techniques 1AI
T1136.001 · Local AccountGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-54360
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups
Source: NVD (National Vulnerability Database)
Vulnerability Description
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one. An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups. Affected component: app/Controller/SharingGroupsController.php, add() action
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
MISP 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MISP是MISP组织开源的一套开源的软件解决方案。 该产品用于收集、存储、分发、共享网络安全指标,并具有威胁网络安全事件分析和恶意软件分析等功能。 MISP 2.5.40之前版本存在授权问题漏洞,该漏洞源于共享组创建端点存在批量赋值漏洞,控制器在保存提交数据前未移除用户提供的id字段,导致经过身份验证且具有添加共享组权限的用户可提交现有共享组的标识符并修改该共享组,从而可能接管或更改其原本无权访问的共享组,影响共享信息的机密性和完整性。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-54360
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-54360
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-54360 (1)
Same Patch Batch · misp · 2026-06-12 · 12 CVEs total
| CVE-2026-54358 | MISP organization administrators can target site administrator accounts for password reset | |
| CVE-2026-54362 | MISP template builder exposes non-visible custom galaxies across organisations | |
| CVE-2026-54359 | MISP automation endpoints may be exposed to CSRF when Sec-Fetch-Site protection is disable | |
| CVE-2026-54398 | MISP object edit authorization bypass allows unauthorized sharing group assignment | |
| CVE-2026-54396 | MISP AuthKey edit endpoint allows authenticated user email enumeration | |
| CVE-2026-54394 | MISP organisation logo path traversal allows retrieval of arbitrary PNG/SVG files | |
| CVE-2026-54357 | MISP improper authorization allows organization administrators to modify site administrato | |
| CVE-2026-54393 | MISP Overmind theme stored XSS via unvalidated homepage setting | |
| CVE-2026-54395 | MISP UiBeta event index reflected XSS in advanced filter popup | |
| CVE-2026-54397 | MISP event editing allows unauthorized assignment to undisclosed sharing groups | |
| CVE-2026-54361 | MISP mass assignment vulnerabilities allow unauthorized modification of ownership and dele |
IV. Related Vulnerabilities
Same product: misp
- CVE-2026-54398
MISP object edit authorization bypass allows unauthorized sh - CVE-2026-54397
MISP event editing allows unauthorized assignment to undiscl - CVE-2026-54396
MISP AuthKey edit endpoint allows authenticated user email e - CVE-2026-54395
MISP UiBeta event index reflected XSS in advanced filter pop - CVE-2026-54394
MISP organisation logo path traversal allows retrieval of ar
Same vendor: misp
- CVE-2026-54398
MISP object edit authorization bypass allows unauthorized sh - CVE-2026-54397
MISP event editing allows unauthorized assignment to undiscl - CVE-2026-54396
MISP AuthKey edit endpoint allows authenticated user email e - CVE-2026-54395
MISP UiBeta event index reflected XSS in advanced filter pop - CVE-2026-54394
MISP organisation logo path traversal allows retrieval of ar
Same weakness: CWE-639
- CVE-2026-12102
UsersWP <= 1.2.63 - Insecure Direct Object Reference to Auth - CVE-2026-10623
PressPrimer Quiz <= 2.3.0 - Insecure Direct Object Reference - CVE-2026-10023
Dokan: AI Powered WooCommerce Multivendor Marketplace Soluti - CVE-2026-48759
TypeBot: Cross-Workspace Theme Template IDOR (Modification a - CVE-2026-55198
Hermes WebUI < 0.51.443 - Cross-Profile Session Data Exfiltr
V. Comments for CVE-2026-54360
No comments yet