CVE-2026-9137 misp CVE debrief

Who should care

Operators of deployments that expose a CSP report endpoint to untrusted or internet-facing clients should review this issue first, especially if logs are centralized, retained for long periods, or processed by resource-constrained pipelines.

Technical summary

The NVD record classifies the weakness as CWE-400 (Uncontrolled Resource Consumption). The source description says the CSP report endpoint was supposed to cap logged reports at 1 KB but instead allowed up to 1 MB before truncation. That creates a larger-than-intended logging surface that can be abused to increase storage, ingestion, or processing load. The supplied corpus does not provide affected version ranges or confirm product attribution beyond a GitHub reference in the MISP repository.

Defensive priority

Moderate. This is not an execution or data exposure issue in the supplied description, but it can still be operationally disruptive where the endpoint is reachable by untrusted senders.

Recommended defensive actions

• Review whether the CSP report endpoint is exposed to untrusted or public clients.
• Confirm that report-size limits are enforced at the request boundary, not only after logging or truncation.
• Add or verify rate limiting and request size controls on the reporting endpoint.
• Monitor for abnormal spikes in CSP report traffic, log volume, and log ingestion costs.
• If a fix is available in your deployed codebase, apply it and validate the effective cap is 1 KB as intended.
• Consider isolating or buffering CSP report handling so oversized or repeated submissions cannot degrade core services.

Evidence notes

The description, CVSS metadata, and CWE-400 classification come from the supplied NVD-derived source item. The source reference is a GitHub commit in the MISP repository (02932cccab230b295afcaf5aa05e363d30db0ec9). The supplied corpus does not confirm vendor ownership, affected versions, or whether the issue is externally reachable in every deployment.

Official resources