CVE-2026-60124 in MISPinfo

Summary

by MITRE • 07/08/2026

An authorization bypass in MISP’s EventsController::importModule() allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the misp_standard format, the write path did not verify event modification rights before saving the module output. This could allow a view-only user to inject or alter event data, impacting the integrity of MISP event content. The issue was fixed by enforcing the same modification-rights check used by related module result handling paths before processing misp_standard imports.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability represents a critical authorization bypass in the MISP (Malware Information Sharing Platform) system that undermines the platform's data integrity controls. The flaw exists within the EventsController::importModule() function where authenticated users or those with read-only API keys possessing event view access can manipulate event data despite lacking proper modification permissions. This authorization bypass stems from insufficient access control verification during the import process, creating a pathway for unauthorized data modification that directly impacts the system's core security model.

The technical implementation of this vulnerability occurs when import modules return results in the misp_standard format, which triggers a specific code path that omits the standard modification rights verification. This discrepancy creates an inconsistent access control enforcement mechanism where the system properly validates write permissions for most module result handling but fails to perform these checks specifically for misp_standard formatted imports. The vulnerability operates at the application layer and affects the platform's authorization framework, which should enforce strict separation between view-only and modify privileges as defined in standard security principles.

The operational impact of this vulnerability extends beyond simple data modification to compromise the entire integrity of MISP event content. A view-only user could inject malicious data, alter existing event attributes, or manipulate threat intelligence information that other users rely upon for security decision-making. This represents a significant risk to threat intelligence sharing workflows where data accuracy and trustworthiness are paramount. The vulnerability essentially allows privilege escalation from read-only access to write capabilities within the scope of events they can view, creating potential for data poisoning and undermining the platform's reputation as a secure information sharing environment.

The fix implemented addresses this issue by enforcing consistent modification rights checks across all import processing paths, ensuring that the same authorization validation logic used in other module result handling scenarios is applied to misp_standard imports. This remediation aligns with established security practices and follows the principle of least privilege enforcement that should be maintained throughout all system components. The solution prevents unauthorized data persistence by requiring proper write permissions before any import module output can be saved to events, effectively closing the authorization bypass gap.

This vulnerability maps to CWE-284 (Improper Access Control) and demonstrates the importance of consistent security controls across all application paths. From an ATT&CK perspective, this represents a privilege escalation technique that could enable adversaries with read-only access to gain write capabilities within the MISP environment. The issue highlights the critical need for comprehensive access control validation in data processing workflows where multiple import mechanisms exist. Organizations relying on MISP for threat intelligence sharing must consider the implications of this vulnerability on their security operations and incident response procedures, particularly when dealing with sensitive threat data that requires strict integrity controls and audit trails.

Responsible

CIRCL

Reservation

07/08/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!