Security Advisory - Published 2026-06-22 - MISP / Threat Intelligence
MISP CVE-2026-56422: check object ownership and sharing scope
MISP through 2.5.41 is affected by a mass assignment issue around request-controlled object fields. Operators should patch, then review whether events, proposals, sharing groups, organisations, or objects changed owner or scope during the exposure window.
Affected version
| CVE | Product | Affected | CVSS |
|---|---|---|---|
| CVE-2026-56422 | MISP | through 2.5.41 | 9.4 |
Owner self-check
git -C /var/www/MISP rev-parse --short HEAD 2>/dev/null
grep -Rni 'MISP version\\|2\\.5\\.|commit' /var/www/MISP/app/tmp/logs /var/www/MISP/VERSION.json 2>/dev/null
grep -Rni 'SharingGroup\\|event_id\\|org_id\\|organisation_uuid\\|proposal\\|galaxy_cluster_uuid' /var/www/MISP/app/tmp/logs 2>/dev/null | tail -150
find /var/www/MISP/app/tmp/logs -type f -mtime -10 -maxdepth 1 -print 2>/dev/nullWhat to review
- MISP version, Git commit, package source, and whether every web worker is on the patched code.
- Events, objects, proposals, sharing groups, galaxies, and organisations changed by lower-privileged accounts.
- Objects that moved to another event, organisation, owner, or sharing group without a normal change ticket.
- Audit logs, API auth key activity, REST imports, and form edits around the first suspicious timestamp.
Safe fix path
- Patch MISP beyond the affected 2.5.41 line or apply the vendor commits for the deployed branch.
- Restart MISP workers and PHP services so stale code is not still serving requests.
- Preserve MISP audit logs before cleanup. Export suspect event and sharing-group changes for review.
- Rotate API keys for accounts that made suspicious edits or had broad organisation-level access.
Repair help
Use Ping7 CVE Repair when MISP stores sensitive threat-intelligence data, audit logs show unexplained object moves, or you need a second review before restoring API access.