PatchSiren cyber security CVE debrief

CVE-2026-9084 misp CVE debrief

CVE-2026-9084 describes an authentication weakness in MISP’s OIDC plugin where an OIDC identity could be automatically linked to an existing local user account using the email claim if that account did not already have a stored sub value. In environments where the identity provider does not strongly enforce email ownership or is otherwise untrusted, a valid OIDC token asserting a victim’s email address could be used to authenticate as that user. The practical security impact is account takeover through weak identity binding rather than password compromise.

Vendor: misp
Product: Unknown
CVSS: MEDIUM 6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-20
Original CVE updated: 2026-05-20
Advisory published: 2026-05-20
Advisory updated: 2026-05-20

Who should care

MISP administrators and security teams using OIDC for login, especially those relying on email-based identity matching, automatic account linking, or identity providers that do not strictly verify email ownership. Multi-tenant or high-trust MISP deployments should review this urgently.

Technical summary

The issue is an identity-association flaw in MISP’s OIDC authentication flow. According to the supplied description, the plugin allowed an OIDC identity to be linked to an existing local user based on the email claim when the local account had no stored sub value. Because the sub claim is the more stable OIDC identifier, falling back to email can let an attacker with a valid token and control over the asserted email authenticate as another user if the IdP does not prevent unverified email assertions. NVD lists the weakness as CWE-287 (Improper Authentication).

Defensive priority

Medium overall, but higher priority for any MISP deployment that uses OIDC with automatic account linking or depends on email as an identity key. Treat as urgent if the configured IdP does not strongly attest to email ownership.

Recommended defensive actions

Update MISP to a version that includes the fix referenced by the upstream commit in the NVD record.
Review OIDC configuration to ensure users are bound by immutable identifiers such as sub, not email alone.
Disable or restrict automatic linking of OIDC identities to existing local accounts unless the IdP is fully trusted and email verification is enforced.
Audit existing MISP accounts for identities that may have been linked through email-based fallback logic.
Validate that local accounts have correct, persistent OIDC subject mappings and remove ambiguous or stale associations.
Monitor authentication logs for unexpected account associations or login events involving email-matched identities.

Evidence notes

The supplied NVD record identifies CVE-2026-9084 as an authentication issue with CWE-287 and links an upstream MISP commit (71f5662c1b5886613d2cd5c72fd93bb4ca6fa172) as the reference. The vulnerability description supplied with the CVE states that automatic linking by email, when no local sub value existed, could permit account takeover if the IdP did not enforce email ownership. NVD currently shows the vulnerability status as Awaiting Analysis.

Official resources

CVE-2026-9084 CVE record
CVE.org
CVE-2026-9084 NVD detail
NVD
Source item URL
nvd_modified
Source reference
5a6e4751-2f3f-4070-9419-94fb35b644e8

Publicly recorded on 2026-05-20 in the CVE/NVD sources provided. No KEV entry was supplied.