CVE-2026-54398
Essential information
- Published
- 13/06/2026 00:16
- Modified
- 12/06/2026 22:16
- Author
- The MITRE Corporation
- Creator
- The MITRE Corporation
- CVSS
- 5.3 MEDIUM (v3) 5.3 MEDIUM (v4.0)
- CISA KEV
- No
- CWE
- CWE-863
- CVSS vector
-
—
—
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Privileges required
- —
- User interaction
- —
- Scope
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- Network
- Attack complexity
- Low
- Attack requirements
- None
- Privileges required
- Low
- User interaction
- None
- Confidentiality (V)
- Low
- Confidentiality (S)
- None
- Integrity (V)
- Low
- Integrity (S)
- None
- Availability (V)
- None
- Availability (S)
- None
- Exploit maturity
- NOT_DEFINED
Description
An authorization flaw in MISP’s object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use.
An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes.
NVD status
- Status
- Received — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- 5a6e4751-2f3f-4070-9419-94fb35b644e8
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| misp / misp | cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:* |