{“lastseen”:””,”description”:”Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership\/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.\\n\\nIn affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event\/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user\u2019s context.\\n\\nThe fixes harden affected create\/edit\/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit()\u00a0primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub\u2019s patch for 7acf8220c\u00a0describes this central issue as CRUDComponent::edit()\u00a0copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save()\u00a0to update an arbitrary row unless the loaded ID is re-pinned.”,”published”:”2026-06-22T11:43:02.690Z”,”modified”:”2026-06-22T11:43:02.690Z”,”type”:”cve”,”title”:”MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields”,”source”:”CIRCL”,”references”:”https:\/\/github.com\/MISP\/MISP\/commit\/7acf8220cafac58bcfb362da37aca512fe4bb396\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/bc182d55dde5686a36ca2eb88fe6c2adabb9fad9\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/58f637aaab4d133e72f1454ebb963191d96d3b78\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/05aad418c57bb78e6b58a843d70d45de8f50db45\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/63aebc27a878233b9475c742985aaef909bc755b\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/00b2e3dae56fa24ea750eb525cc4709b7e5bee85\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/634f1f87c295193486c08c2c7ba1fee8a7339baa\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/ab9619dfa6cb5210fd20fb3b0b57006e4fc93916\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/8311427c2edd72a8341f0a65e1f11073d7ad9191\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/c80a3533b3d787f45f5185a4621cc0f05b0cf2e5\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/025f711506850aadb69cde1b57e5e5d57628c87f\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/3ff6bd9cfdab5d41b4667ea7298d88ffd6f3fcb8\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/84bafe69f5d0ab7f811371c0801a613f271ebc0b\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/2cc26f38f3e85c594957899f09043d5193146607\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/57433015815e59db5a1f11536f90920952cf3fcd\\nhttps:\/\/github.com\/MISP\/MISP\/commit\/9341690e9b6dde7f0605edea5533e05ba7362e35″,”id”:”CVE-2026-56422″,”bulletinFamily”:””,”cwe”:[“CWE-639″],”cvelist”:null,”sourceData”:”misp misp 0″,”sourceHref”:””,”cvss”:{“score”:9.4,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:N\/VC:H\/VI:H\/VA:H\/SC:H\/SI:H\/SA:H”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”misp”,”version”:”0″,”vendor”:”misp”,”ai_description”:”AI processing failed – invalid JSON response”,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership\/scope foreign keys (event_id, org_id, user_id, sharing_group_id,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[9,6,8,131,12,13,7,11,5],"class_list":["post-64730","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-critical","tag-cve","tag-cvss","tag-cvss-94","tag-exploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n