CVE-2026-54361

Name of the Vulnerable Software and Affected Versions MISP (affected versions not specified)

Description Multiple mass assignment issues exist in the handling of collections, tag collections, event delegations, and shadow attributes. Certain controller actions accept user-supplied fields that should be server-controlled, specifically record identifiers and ownership fields such as id, org id, orgc id, and user id. An authenticated attacker can craft requests to these endpoints to alter object ownership, redirect updates to different records, overwrite event delegation requests, or modify shadow attribute proposals of other organizations. This may lead to unauthorized modification of objects and potential unauthorized access to or transfer of sensitive threat intelligence data. The affected functions include CollectionsController::edit(), EventDelegationsController::delegateEvent(), ShadowAttributesController::edit(), TagCollectionsController::edit(), and TagCollectionsController::editWithTags().

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.