CVE-2026-54396 misp CVE debrief

Who should care

Users of MISP (Malware Information Sharing Platform) who have permission to edit AuthKeys should be aware of this vulnerability. An attacker with this permission could potentially enumerate user email addresses.

Technical summary

The vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown is populated using the attacker-controlled AuthKey.user_id value from the submitted request data. This allows an authenticated user with permission to edit an AuthKey to submit arbitrary user IDs and observe the returned dropdown data, enabling enumeration of user email addresses.

Defensive priority

MEDIUM

Recommended defensive actions

• Apply the fix: Derive the dropdown user from the persisted AuthKey owner instead of the request body.
• Restrict permissions: Limit the ability to edit AuthKeys to only necessary users.
• Monitor for suspicious activity: Keep an eye on AuthKey edit requests and user enumeration attempts.

Evidence notes

The CVE-2026-54396 vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity. The issue was published and modified on June 12, 2026.

Official resources