CVE-2026-54360
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint
Published: 2026-06-12 · Last updated: 2026-06-12
Severity and scoring
- CWE
- CWE-639
Description
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one. An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups. Affected component: app/Controller/SharingGroupsController.php, add() action
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-1291 — The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST AP... (4.3 MEDIUM)
- CVE-2026-54361 — MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow at...
- CVE-2026-54357 — An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings bel...
- CVE-2026-53726 — Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js
- CVE-2026-42947 — A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a devic... (8.8 HIGH)