Back to overview

CVE-2026-61474

MEDIUM
5.3
CVSS 4.0
Description
An improper authorization check in MISP’s attribute creation endpoint allowed an authenticated user with permission to add attributes to submit a sharing_group_id without triggering the corresponding sharing group authorization check, as long as the attribute distribution value was not explicitly set to 4 — “sharing group”. As a result, a user could reference or associate an attribute with a sharing group they were not authorized to use. This could lead to an access-control bypass affecting the integrity of attribute sharing metadata and potentially expose or misuse restricted sharing group relationships. The patch changes the authorization logic so that the sharing group permission check is performed whenever a non-empty sharing_group_id is provided, regardless of the selected distribution value.

Metadata

CVE ID
CVE-2026-61474
State
PUBLISHED
Assigner
CIRCL
Reserved
2026-07-09 15:05 UTC
Published
2026-07-09 15:06 UTC
Last updated
2026-07-09 16:08 UTC
Primary CWE
CWE-863
CWE-863 Incorrect Authorization
Vendor / Product
misp / misp
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
misp misp 0 ≤ 2.5.42
Weakness (CWE)
CWESourceDescription
CWE-863 cna CWE-863 Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:L/SA:N
Back to overview