External risk intelligence

MISP Broken Access Control Allows Unauthorized Deletion of Event Reports and Sharing Groups.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-56423

MISP is typically deployed as a web-based threat intelligence platform that is frequently internet-facing to facilitate collaboration and data exchange between organizations. Since the vulnerability resides within core web-based bulk deletion controllers accessible to authenticated users, it is likely to be reachable in standard web-accessible deployments.

Misp Project Misp

before 2.5.42

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a flaw in MISP Core related to how it handles bulk deletions of event reports and sharing groups. The issue allowed users with broad permissions to delete content and configurations belonging to other organizations, potentially leading to data loss across the platform. The primary concern is to confirm if your deployment is affected and what exposure it may have.

  • Access control flaw in bulk delete functions.
  • Confirms relevance and exposure of MISP.
  • Understand potential for unauthorized data deletion.

Attack Path

How an attacker could exploit the issue

An attacker with contributor-level access could exploit this vulnerability by sending specially crafted requests to delete event reports or sharing groups they do not own. This bypasses checks designed to protect data belonging to other organizations, leading to the loss of critical information.

  • Authenticated user with broad permissions.
  • Bulk deletion endpoints.
  • Loss of event-report or sharing-group data.

Live Threat

Current exploitation, exposure, and threat context

An authenticated user with broad role permissions could delete event reports or sharing groups that do not belong to their organization. This could lead to the irreversible loss of valuable threat intelligence data or misconfiguration of data sharing settings across the entire MISP instance.

  • Event reports or sharing groups.
  • Authenticated user abuses bulk delete functions.
  • Loss of threat intelligence data.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in MISP Core's bulk deletion functionality impacts the platform administration and security teams. Action should begin with identifying all MISP instances, confirming their exposure, and locating the specific owner for each instance to prioritize remediation efforts.

  • Own by MISP platform administrators.
  • Verify instance reachability and owner.
  • Plan remediation during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the MISP software mentioned in CVE-2026-56423?

MISP is an open-source threat intelligence platform used by organizations to collect, correlate, and share information about cybersecurity threats. It functions as a central repository for event reports and collaborative sharing groups, allowing teams to exchange structured data securely. The platform acts as a critical hub for intelligence distribution, often facilitating cooperation between diverse security entities and research communities.

How does this CVE represent a broken access control vulnerability?

This flaw falls under CWE-862, which refers to missing authorization. In CVE-2026-56423, the software's bulk deletion tools were designed to trust broad user permissions instead of checking if the user actually owned the specific data they were trying to delete. Because the system failed to verify ownership for every individual item selected in a batch, it mistakenly allowed authorized users to perform actions on sensitive content that belonged to other organizations.

What is required for an attacker to trigger this deletion bug?

An attacker must already have an authenticated account on the MISP instance with specific broad role permissions, such as the ability to add or manage sharing groups. The bug is triggered by using the bulk deletion interface to submit IDs or UUIDs of reports or groups belonging to other parties. Notably, simply viewing or querying information does not trigger this vulnerability; the damage specifically occurs through the misuse of these specific deletion endpoints.

Why should I care about this if my MISP is internet-facing?

Halo Surface Signal indicates that MISP instances are frequently deployed with internet access to enable data sharing, making them highly reachable. If your instance is exposed to the internet, the barrier for an authenticated attacker to reach these bulk deletion controllers is lower. Because the vulnerability allows for permanent instance-wide data loss, any MISP deployment accessible to external users—or even internal users you do not fully trust—faces a significant risk.

What are the first steps to address this MISP vulnerability?

Administrators should first identify all active MISP instances under their management. Once identified, verify if your software version includes the security patches for the affected event-report and sharing-group controllers. Plan to apply the necessary updates during your next maintenance window to ensure authorization checks are enforced at the individual object level, preventing users from deleting content they do not own.

References