CVE-2026-56422 misp CVE debrief

Who should care

Defenders of MISP installations, security teams, and administrators responsible for MISP servers should prioritize addressing this vulnerability. Given the critical severity and potential impact, immediate attention is necessary to limit exposure.

Technical summary

The vulnerability arises from MISP core controllers and model capture paths accepting client-controlled request fields, such as primary keys and ownership/scope foreign keys, without consistently stripping, pinning, or revalidating them against the server-authorized object. This allows an authenticated user to manipulate object relationships and content, potentially leading to unauthorized modifications across the MISP instance.

Defensive priority

High priority due to critical CVSS score and potential for significant unauthorized modifications

Recommended defensive actions

• Inventory and review MISP instances for exposure
• Apply official patches or updates provided by MISP
• Review and restrict user access and permissions
• Monitor for suspicious activity or anomalies
• Implement compensating controls to limit potential damage

Evidence notes

The CVE record and NVD detail provide information on the vulnerability. Multiple commits in the MISP GitHub repository address this issue, including 00b2e3d, 025f711, and 7acf822. These commits harden affected create/edit/import flows by stripping client-supplied primary keys, re-pinning route- or database-authorized identifiers, validating effective sharing-group scope, and adding field whitelists.

Official resources