CVEFinder.io

CVE-2026-44380

⚠️ high
🔍 Scan for this CVE
Summary

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges coul

Description

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. This vulnerability is fixed in 2.5.37.

CVSS Score
7.2
High
EPSS Score
0.1
Exploit Probability
Published Date
2026-05-13
First Seen: 2026-05-17
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 55.5% of all 327,350 vulnerabilities in our database.

#145,695
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 14, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2026-05-15
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-863

📦 Affected Products 1

Vendor Product Status Affected Versions
misp misp Affected
< 2.5.37

🔗 References 1

https://github.com/MISP/MISP/security/advisories/GHS...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-10854 🔶 medium 4.3 0.0 A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxi... 2026-06-04
CVE-2026-10855 🔶 medium 4.3 0.0 An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template i... 2026-06-04
CVE-2026-10856 🔶 medium 6.1 0.0 A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a loc... 2026-06-04
CVE-2026-10861 🔶 medium 6.1 0.0 An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_lo... 2026-06-04
CVE-2026-10860 🔶 medium 6.5 0.0 A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used th... 2026-06-04
CVE-2026-10863 ⚠️ high 8.1 0.0 A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted fr... 2026-06-04
These CVEs affect the same products