PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54360 misp CVE debrief

A mass assignment vulnerability exists in MISP's sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one. An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups.

Vendor
misp
Product
Unknown
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-12
Original CVE updated
2026-06-12
Advisory published
2026-06-12
Advisory updated
2026-06-12

Who should care

Users of MISP (Malware Information Sharing Platform) who have permission to add sharing groups are potentially affected by this vulnerability.

Technical summary

The vulnerability exists in the app/Controller/SharingGroupsController.php, add() action. The CVSS score for this vulnerability is 8.4, indicating a HIGH severity.

Defensive priority

HIGH

Recommended defensive actions

  • Apply the patch referenced in [ref-4](https://github.com/MISP/MISP/commit/687e7cb530ae0e2faaadf5e3e44712258fb3ef1b) to fix the mass assignment vulnerability.

Evidence notes

The CVE record for this vulnerability can be found at [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-54360). The NVD detail page is available at [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-54360).

Official resources

CVE-2026-54360 was published on 2026-06-12T20:16:47.980Z.