CVE-2026-9136

Name of the Vulnerable Software and Affected Versions MISP versions prior to 2.5.38

Description An issue exists in the ShadowAttribute proposal creation workflow where the add action accepts user-controlled request data without removing the id field before saving the record. Since the underlying framework interprets a supplied primary key as an instruction to update an existing record, an authenticated user can provide the identifier of an existing ShadowAttribute to update it instead of creating a new proposal. This can lead to unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user is not permitted to alter. Depending on the deployment configuration and API responses, this may also expose or move proposal data across event contexts.

Recommendations Update to version 2.5.38.