CVE-2026-54398— MISP 授权问题漏洞

MISP object edit authorization bypass allows unauthorized sharing group assignment

An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use. An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.

N/A

授权机制不正确

MISP 授权问题漏洞

MISP是MISP组织开源的一套开源的软件解决方案。 该产品用于收集、存储、分发、共享网络安全指标,并具有威胁网络安全事件分析和恶意软件分析等功能。 MISP存在授权问题漏洞，该漏洞源于授权缺陷，可能导致通过身份验证的用户绕过共享组验证，将对象或属性分配给未授权的共享组，并可能泄露共享组的存在名称或不当修改对象或包含属性的分布元数据。

N/A

N/A