CVE-2026-56422
CriticalCVSS 9.4Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys and foreign keys without proper server-side validation. This allows authenticated users to submit crafted data, potentially leading to object overwrites or unauthorized data access.
Risk Assessment
The organization may face serious security breaches, including unauthorized data sharing and object manipulation, which could result in data integrity loss and user trust issues.
Recommendation
It is recommended to implement fixes that strip client-supplied primary keys and validate identifiers before save operations. Additionally, ensure that ownership fields cannot be edited by users.
Original NVD description (English source)
Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object. In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context. The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned.

