CVE-2026-54397— MISP 授权问题漏洞

MISP event editing allows unauthorized assignment to undisclosed sharing groups

A vulnerability in MISP’s non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event’s sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing group distribution, the non-REST save path accepted the submitted sharing_group_id without performing the same sharing group authorization check enforced by the REST edit path. An attacker could exploit this by tampering with the event edit request and assigning an event to an undisclosed or unauthorized sharing group. This could result in unauthorized use of restricted sharing groups, disclosure of the sharing group name in event listings, and unintended modification of the event’s distribution metadata. The issue is fixed by validating that the selected sharing group can be used by the current user when the sharing group is changed, and by clearing sharing_group_id when the event distribution is not set to sharing group distribution.

N/A

授权机制不正确

MISP 授权问题漏洞

MISP是MISP组织开源的一套开源的软件解决方案。 该产品用于收集、存储、分发、共享网络安全指标,并具有威胁网络安全事件分析和恶意软件分析等功能。 MISP存在授权问题漏洞，该漏洞源于非REST事件编辑路径缺少对分享组的授权验证，可能导致已认证用户利用表单数据操作，将事件分配至未授权的分享组，从而造成分享组名称泄露、事件元数据被修改。

N/A

N/A