Auth bypass in Misp

CVE-2026-9084

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where…

Vulnerability class: Broken Authentication

EPSS: 0.000 (9.1th percentile) — read the EPSS interpretation.

Affected products

  • Misp — versions 2.5.0

Weakness classification (CWE)

References