CVE-2026-60125 in MISPinfo

Summary

by MITRE • 07/08/2026

MISP’s importModule() path used getEnabledModule() to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by getEnabledModules(). As a result, an authenticated user from an organisation that was not allowed to use a module restricted via Plugin.Import_<module>_restrict could still invoke that import module directly if they knew its name.


This could allow unauthorised access to restricted import-module functionality and, depending on the module and the user’s event permissions, may allow unauthorised import or modification of event data through a module that should have been unavailable to the user’s organisation.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability described represents a critical authorization bypass in the MISP (Malware Information Sharing Platform) system that stems from an inconsistent implementation of access controls within its module management framework. This issue specifically affects the import module functionality where the system fails to properly enforce organizational restrictions when resolving individual modules versus bulk operations. The root cause lies in the differing behavior between getEnabledModule() and getEnabledModules() functions, creating a security gap that undermines the intended access control mechanisms.

The technical flaw manifests when an authenticated user attempts to invoke a specific import module by name using the importModule() function. While this function correctly utilizes getEnabledModule() to resolve the target module, it fails to apply the same organizational restriction checks that are enforced by getEnabledModules(). This discrepancy allows threat actors or authorized users from organizations that have been explicitly restricted from using certain modules via the Plugin.Import__restrict configuration to directly access those modules through their known names. The vulnerability essentially creates a backdoor path that circumvents the intended permission model.

The operational impact of this vulnerability extends beyond simple unauthorized access to potentially enabling data manipulation and integrity compromise within MISP environments. When an organization is restricted from using specific import modules, this restriction typically exists to prevent potential security risks or data exposure scenarios associated with those particular tools. However, the authorization bypass allows users to invoke these modules directly, potentially enabling them to import malicious data, modify existing events, or access sensitive information through functionality that should have been entirely unavailable to their organization. The severity of this impact depends on the specific module involved and the user's existing event permissions within the system.

This vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic case of insufficient authorization checks in software systems. The issue demonstrates how seemingly minor implementation inconsistencies can create significant security weaknesses, particularly in systems that handle sensitive threat intelligence data. From an ATT&CK perspective, this vulnerability maps to privilege escalation techniques where attackers leverage misconfigurations or implementation flaws to gain access to restricted functionality. Organizations implementing MISP should immediately review their import module configurations and ensure proper enforcement of organizational restrictions across all access pathways. The recommended mitigation involves updating the importModule() function to consistently apply the same authorization checks used by getEnabledModules(), ensuring that all module access paths enforce the same organizational restriction policies.

The broader implications for cybersecurity operations highlight the critical importance of consistent access control implementation in security platforms. MISP environments where this vulnerability exists may be at risk of unauthorized data manipulation, potential information leakage, or even the introduction of malicious threat intelligence through restricted import channels. Organizations should conduct immediate assessments of their module access controls and consider implementing additional monitoring for unusual import module usage patterns that could indicate exploitation attempts.

Responsible

CIRCL

Reservation

07/08/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!