CVE-2026-56423 misp CVE debrief

Who should care

Organizations using MISP Core for threat intelligence and incident response should prioritize patching. Security teams and administrators responsible for MISP Core instances must assess their exposure and take immediate action to limit potential damage.

Technical summary

The vulnerability exists in the bulk deletion flows for Event Reports and Sharing Groups in MISP Core. Specifically, the deleteSelection handlers for EventReportsController and SharingGroupsController relied on broad role-level permissions (perm_add and perm_sharing_group) rather than per-object authorization checks. This allowed contributor-level users to delete reports and sharing groups from other organizations. Fixes involve changing callbacks to validate user authorization for each selected object.

Defensive priority

High priority due to potential for significant data loss and instance-wide impact.

Recommended defensive actions

• Review and apply official patches or updates provided by MISP Core
• Inventory MISP Core instances and verify exposure to vulnerable bulk deletion endpoints
• Limit access to bulk deletion functionality to minimize potential impact
• Monitor for suspicious activity related to Event Reports and Sharing Groups
• Implement compensating controls to detect and prevent unauthorized deletions

Evidence notes

Primary evidence comes from the CVE record and NVD detail. The affected product is MISP Core, with specific versions not provided. Defenders should verify instance configurations and user access levels against official documentation and patch notes.

Official resources