CVE-2026-61474 in MISP
Summary
by MITRE • 07/09/2026
An improper authorization check in MISP’s attribute creation endpoint allowed an authenticated user with permission to add attributes to submit a sharing_group_id without triggering the corresponding sharing group authorization check, as long as the attribute distribution value was not explicitly set to 4 — “sharing group”.
As a result, a user could reference or associate an attribute with a sharing group they were not authorized to use. This could lead to an access-control bypass affecting the integrity of attribute sharing metadata and potentially expose or misuse restricted sharing group relationships.
The patch changes the authorization logic so that the sharing group permission check is performed whenever a non-empty sharing_group_id is provided, regardless of the selected distribution value.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
This vulnerability represents a critical authorization flaw in the MISP (Malware Information Sharing Platform) system that undermines the integrity of its collaborative threat intelligence sharing mechanisms. The issue manifests within the attribute creation endpoint where the system fails to properly validate sharing group permissions when users submit attributes with specific distribution settings. The flaw specifically affects authenticated users who possess the legitimate permission to add attributes but lack proper authorization to access certain sharing groups. This misconfiguration creates a pathway for privilege escalation through unauthorized metadata manipulation.
The technical implementation of this vulnerability stems from an incomplete authorization check logic within MISP's permission validation system. When users submit attributes with a sharing_group_id parameter, the system should consistently verify that the user has proper authorization to access that specific sharing group regardless of other attribute parameters. However, the existing code structure only triggers the sharing group authorization check under specific conditions - namely when the distribution value is explicitly set to 4, which corresponds to "sharing group" distribution. This conditional logic creates a security gap where users can bypass authorization controls by simply avoiding the explicit setting of distribution value 4 while still providing a valid sharing_group_id.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential compromise of collaborative threat intelligence workflows and integrity of shared security information. An attacker could maliciously associate attributes with restricted sharing groups, potentially exposing sensitive threat intelligence to unauthorized parties or manipulating the metadata relationships that govern how information flows between different security teams and organizations. This bypass affects the fundamental trust model of MISP's sharing infrastructure and could enable coordinated attacks against specific threat intelligence communities or compromise ongoing investigations by leaking information to unauthorized participants.
The fix implemented addresses this vulnerability by modifying the authorization logic to enforce consistent sharing group permission validation. The patch ensures that whenever a non-empty sharing_group_id parameter is provided during attribute creation, regardless of the distribution value selected, the system performs the necessary authorization checks to verify that the authenticated user possesses proper access rights to that specific sharing group. This change aligns with established security principles and follows the principle of least privilege enforcement as outlined in various cybersecurity frameworks including those referenced in CWE-285, which addresses improper authorization scenarios. The solution effectively closes the authorization gap by implementing mandatory permission validation for all sharing group references rather than relying on conditional logic that could be circumvented.
This vulnerability type corresponds to CWE-285 - Improper Authorization, and demonstrates characteristics consistent with ATT&CK technique T1078 - Valid Accounts, where legitimate user credentials are used to access restricted resources through flawed authorization controls. The patch implementation provides a robust defense against this class of vulnerability by enforcing mandatory permission validation across all sharing group interactions, thereby strengthening MISP's overall security posture and protecting the integrity of threat intelligence sharing relationships between security organizations.