CVE 8.6 HIGH

MISP: Improper access control in auth key reset allows privilege escalation to site administrator_CVE-2026-44380

May 13, 2026 invoker category_cve

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. This vulnerability is fixed in 2.5.37.

AI Analysis

Improper access control in authentication key reset allows privilege escalation to site administrator

Basic Information

ID CVE-2026-44380

Source GitHub_M

Published May 13, 2026 at 20:51

Affected Product

Vendor MISP

Product MISP

Version < 2.5.37

Affected Versions MISP MISP < 2.5.37

CWE Classification

CWE-863

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor MISP

Product MISP

Version < 2.5.37

References

github.com /MISP/MISP/security/advisories/GHSA-3939-4g6m-m3hc

{
    "lastseen": "",
    "description": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. This vulnerability is fixed in 2.5.37.",
    "published": "2026-05-13T20:51:30.955Z",
    "modified": "2026-05-13T20:51:30.955Z",
    "type": "cve",
    "title": "MISP:  Improper access control in auth key reset allows privilege escalation to site administrator",
    "source": "GitHub_M",
    "references": "https://github.com/MISP/MISP/security/advisories/GHSA-3939-4g6m-m3hc",
    "id": "CVE-2026-44380",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "MISP MISP < 2.5.37",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MISP",
    "version": "< 2.5.37",
    "vendor": "MISP",
    "ai_description": "Improper access control in authentication key reset allows privilege escalation to site administrator",
    "ai_severity": "High",
    "ai_vendor": "MISP",
    "ai_product": "MISP",
    "ai_version": "< 2.5.37",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply