PT-2026-48972 · Misp+1 · Misp+1
Andras Iklody
+1
·
Published
2026-06-12
·
Updated
2026-06-12
·
CVE-2026-54360
CVSS v4.0
8.4
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
MISP (affected versions not specified)
Description
A mass assignment issue exists in the sharing group creation endpoint. The controller fails to remove a user-supplied
id field before saving data. In CakePHP, providing a primary key during a save operation can cause the system to update an existing record instead of creating a new one. An authenticated user with permissions to add sharing groups can submit the identifier of an existing group to modify it, bypassing standard edit access-control checks. This allows an attacker to take over or alter sharing groups they are not authorized to access, impacting the confidentiality and integrity of the shared information. The issue is located in the add() action of the app/Controller/SharingGroupsController.php component.Recommendations
As a temporary workaround, restrict access to the
add() action in the app/Controller/SharingGroupsController.php controller to minimize the risk of exploitation.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cakephp
Misp