Auth bypass in Misp
CVE-2026-56422
Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uui…
Vulnerability class: IDOR (Insecure Direct Object Reference)
Affected products
- Misp — versions 0
Weakness classification (CWE)
References
- 5a6e4751-2f3f-4070-9419-94fb35b644e8 (patch)
- 5a6e4751-2f3f-4070-9419-94fb35b644e8 (patch)
- 5a6e4751-2f3f-4070-9419-94fb35b644e8 (patch)
- 5a6e4751-2f3f-4070-9419-94fb35b644e8 (patch)
- 5a6e4751-2f3f-4070-9419-94fb35b644e8 (patch)
- 5a6e4751-2f3f-4070-9419-94fb35b644e8 (patch)
- 5a6e4751-2f3f-4070-9419-94fb35b644e8 (patch)
- 5a6e4751-2f3f-4070-9419-94fb35b644e8 (patch)
- 5a6e4751-2f3f-4070-9419-94fb35b644e8 (patch)
- 5a6e4751-2f3f-4070-9419-94fb35b644e8 (patch)