CVE-2026-54396
Essential information
- Published
- 12/06/2026 23:16
- Modified
- 12/06/2026 21:16
- Author
- The MITRE Corporation
- Creator
- The MITRE Corporation
- CVSS
- 5.3 MEDIUM (v3) 5.3 MEDIUM (v4.0)
- CISA KEV
- No
- CWE
- CWE-200
- CVSS vector
-
—
—
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Privileges required
- —
- User interaction
- —
- Scope
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- Network
- Attack complexity
- Low
- Attack requirements
- None
- Privileges required
- Low
- User interaction
- None
- Confidentiality (V)
- Low
- Confidentiality (S)
- None
- Integrity (V)
- None
- Integrity (S)
- None
- Availability (V)
- None
- Availability (S)
- None
- Exploit maturity
- NOT_DEFINED
Description
An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.
NVD status
- Status
- Received — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- 5a6e4751-2f3f-4070-9419-94fb35b644e8
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| misp / misp | cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:* |