External risk intelligence

MISP Code Execution via Crafted Kafka Configuration

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-56447

MISP is a web-based threat intelligence platform that is often exposed to the internet. However, this specific vulnerability requires an authenticated site administrator to modify application settings, which is a restricted action typically performed by trusted personnel rather than through public-facing anonymous access.

Misp Project Misp

before 2.5.42

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability allows an authenticated administrator to execute arbitrary code by manipulating system settings, potentially impacting the security of the MISP platform and its data. The primary concern is to confirm if this specific administrative function is utilized within your environment.

  • Code execution via system configuration changes.
  • Critical impact if MISP administrative access is compromised.
  • Verify relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with administrative access to MISP could manipulate a configuration setting to point to a malicious INI file. MISP would then parse this file, instructing it to load an external library, which could ultimately lead to arbitrary code execution with the privileges of the MISP process.

  • Authenticated administrator access required.
  • Crafted configuration file triggers vulnerability.
  • Arbitrary code execution is the risk.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an authenticated site administrator could cause MISP to execute arbitrary code by crafting a configuration file that points to an external library. This could impact the confidentiality and integrity of the MISP process.

  • Data or system asset at risk: MISP process integrity.
  • How exposure could happen: Load external library via config.
  • Realistic consequence: Arbitrary code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this vulnerability. The first step is to locate all instances of the affected technology, confirm their reachability and business criticality, and then identify the accountable owner to plan remediation based on the assessed risk.

  • Application owners and infrastructure teams.
  • Confirm affected technology reachability and criticality.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MISP and why is it used?

MISP is an open-source threat intelligence platform used by security teams to store, correlate, and share technical indicators of compromise. It acts as a central hub for collaborative cyber threat analysis, enabling organizations to track and respond to security incidents systematically.

What does CWE-829 mean for CVE-2026-56447?

CWE-829 refers to the inclusion of functionality from an untrusted control sphere. In this CVE, it means the application was tricked into loading external code from an arbitrary file path provided via a configuration setting. Because the software trusted this user-defined path, it inadvertently executed malicious instructions as if they were part of its own process.

Does this vulnerability trigger automatically?

No. The flaw does not execute on its own or through standard web browsing. It requires a specific action: an authenticated site administrator must actively modify the Kafka_rdkafka_config setting to point to a crafted, attacker-controlled configuration file. If settings are not modified to reference external files, this path is not triggered.

Is my MISP instance at risk according to Halo Surface Signal?

While Halo Surface Signal classifies this as external because MISP is often internet-facing, the risk profile is unique. The vulnerability requires administrative-level authentication, meaning it cannot be triggered by anonymous public users. Your internal security posture regarding administrative account protection is the primary factor in your actual risk.

How should I respond to this advisory?

Begin by identifying all MISP instances in your environment and verifying who has administrative access. Audit current configuration settings to ensure Kafka settings are not pointing to unusual or unexpected file paths. Prioritize applying the software update, which restricts configuration paths to approved, secure directories, effectively closing the possibility of loading unauthorized libraries.

References