Misp · Misp · CVE-2026-9084
**Name of the Vulnerable Software and Affected Versions**
MISP (affected versions not specified)
**Description**
The OIDC authentication plugin allows automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account lacks a stored `sub` value. In scenarios with insecure or untrusted Identity Provider (IdP) configurations where email ownership is not verified, an attacker possessing a valid OIDC token can assert a victim's email address to authenticate as that user, resulting in account takeover.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.