CVEFinder.io

CVE-2026-9136

πŸ”Ά medium
πŸ” Scan for this CVE
Summary

A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a

Description

A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a new proposal.




This can result in unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user should not be able to alter. Depending on deployment configuration and accessible API responses, the issue may also expose or move proposal data across event contexts.




The vulnerability is caused by trusting a client-supplied primary key during object creation. The fix removes the id field from incoming ShadowAttribute data before processing, ensuring that the endpoint always creates a new proposal rather than updating an existing one. This has been fixed in MISP 2.5.38.

CVSS Score
6.5
Medium
EPSS Score
0.2
Exploit Probability
Published Date
2026-05-20
First Seen: 2026-05-21
πŸ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 47.8% of all 330,193 vulnerabilities in our database.

#172,448
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 20, 2026
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Partial
Limited system impact
πŸ† Discovered By
Seth Kraft
SSVC data provided by CISA
Last Modified 2026-06-22
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-639

πŸ“¦ Affected Products 2

Vendor Product Status Affected Versions
misp misp Affected
> 2.5.0 < 2.5.38
misp-project misp Affected
> 2.5.0 < 2.5.38

πŸ”— References 1

https://github.com/MISP/MISP/commit/49911b1d4b6e4517...
Patch

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-56423 ⚠️ high 8.8 0.3 MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The a... 2026-06-22
CVE-2026-56424 ⚠️ high 8.8 0.4 MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong ent... 2026-06-22
CVE-2026-56425 ⚠️ high 8.8 0.3 The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorizat... 2026-06-22
CVE-2026-56446 ⚠️ high 7.2 0.4 MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool... 2026-06-22
CVE-2026-56447 ⚠️ high 7.2 0.3 MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path... 2026-06-22
CVE-2026-10854 πŸ”Ά medium 4.3 0.2 A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxi... 2026-06-04
These CVEs affect the same products