PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54397 misp CVE debrief

A vulnerability in MISP's non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event's sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing group distribution, the non-REST save path accepted the submitted sharing_group_id without performing the same sharing group authorization check enforced by the REST edit path.

Vendor
misp
Product
Unknown
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-12
Original CVE updated
2026-06-12
Advisory published
2026-06-12
Advisory updated
2026-06-12

Who should care

Users of MISP (Malware Information Sharing Platform) who have event edit permissions and rely on sharing groups for event distribution.

Technical summary

The issue arises from the lack of proper authorization checks in the non-REST event editing path. An attacker could exploit this by tampering with the event edit request and assigning an event to an undisclosed or unauthorized sharing group. This could result in unauthorized use of restricted sharing groups, disclosure of the sharing group name in event listings, and unintended modification of the event's distribution metadata.

Defensive priority

MEDIUM

Recommended defensive actions

  • Apply the fix by validating that the selected sharing group can be used by the current user when the sharing group is changed, and by clearing sharing_group_id when the event distribution is not set to sharing group.
  • Review and update event distributions and sharing groups to ensure proper authorization.

Evidence notes

The issue is fixed by validating that the selected sharing group can be used by the current user when the sharing group is changed, and by clearing sharing_group_id when the event distribution is not set to sharing group.

Official resources

CVE-2026-54397 was published on 2026-06-12T21:16:25.557Z.