CVE-2026-54359

Name of the Vulnerable Software and Affected Versions MISP (affected versions not specified)

Description An insecure default configuration exists where the Security.check sec fetch site header control is disabled. This allows state-changing requests, such as POST, PUT, or AJAX requests, to be processed without restriction based on the browser-provided Sec-Fetch-Site header. A remote unauthenticated attacker can craft a malicious web page that tricks an authenticated user's browser into sending cross-site requests to automation endpoints. These forged requests are processed with the victim's privileges, which may lead to unauthorized modification of data or configuration.

Recommendations Enable the Security.check sec fetch site header setting. Operators of multi-homed deployments should validate this setting before enforcement.