CVE-2026-56423

Name of the Vulnerable Software and Affected Versions MISP Core (affected versions not specified)

Description Broken access-control checks exist in the bulk deletion flows for Event Reports and Sharing Groups. The deleteSelection handlers authorized deletions using broad role-level permissions instead of validating authorization for each selected object. For Event Reports, the EventReportsController::deleteSelection function relied on the global perm add capability, allowing contributor-level users to hard-delete reports belonging to other organizations by submitting report IDs or UUIDs. For Sharing Groups, the SharingGroupsController::deleteSelection function relied on the global perm sharing group capability, enabling users to delete sharing groups owned by other organizations. An authenticated attacker with these broad role permissions could delete objects outside their organization's authorization scope, leading to the loss of event-report content or sharing-group configurations across the instance.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.