Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Description

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process.

The fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments.

AI Analysis

Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path

Basic Information

ID CVE-2026-56446

Source CIRCL

Published Jun 22, 2026 at 12:31

Affected Product

Vendor misp

Product misp

Affected Versions misp misp 0

CWE Classification

CWE-94

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor MISP

Product MISP

References

github.com /MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0

{
    "lastseen": "",
    "description": "MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process.\n\nThe fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments.",
    "published": "2026-06-22T12:31:40.362Z",
    "modified": "2026-06-22T12:31:40.362Z",
    "type": "cve",
    "title": "Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path in MISP",
    "source": "CIRCL",
    "references": "https://github.com/MISP/MISP/commit/9600d486ccfc98388e13897fd954350cebac5fb0",
    "id": "CVE-2026-56446",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "misp misp 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "misp",
    "version": "0",
    "vendor": "misp",
    "ai_description": "Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path",
    "ai_severity": "High",
    "ai_vendor": "MISP",
    "ai_product": "MISP",
    "ai_version": "0",
    "ai_score": 8.7
}

Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path in MISP_CVE-2026-56446