CVEFinder.io

CVE-2026-9136

🔶 medium
🔍 Scan for this CVE
Summary

A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a

Description

A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a new proposal.




This can result in unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user should not be able to alter. Depending on deployment configuration and accessible API responses, the issue may also expose or move proposal data across event contexts.




The vulnerability is caused by trusting a client-supplied primary key during object creation. The fix removes the id field from incoming ShadowAttribute data before processing, ensuring that the endpoint always creates a new proposal rather than updating an existing one. This has been fixed in MISP 2.5.38.

CVSS Score
6.5
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-20
First Seen: 2026-05-21
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 47.8% of all 327,350 vulnerabilities in our database.

#170,806
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 20, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Seth Kraft
SSVC data provided by CISA
Last Modified 2026-06-02
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-639

📦 Affected Products 1

Vendor Product Status Affected Versions
misp misp Affected
> 2.5.0 < 2.5.38

🔗 References 1

https://github.com/MISP/MISP/commit/49911b1d4b6e4517...
Patch

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-10854 🔶 medium 4.3 0.0 A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxi... 2026-06-04
CVE-2026-10855 🔶 medium 4.3 0.0 An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template i... 2026-06-04
CVE-2026-10856 🔶 medium 6.1 0.0 A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a loc... 2026-06-04
CVE-2026-10861 🔶 medium 6.1 0.0 An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_lo... 2026-06-04
CVE-2026-10860 🔶 medium 6.5 0.0 A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used th... 2026-06-04
CVE-2026-10863 ⚠️ high 8.1 0.0 A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted fr... 2026-06-04
These CVEs affect the same products