{"id":"CVE-2026-56422","summary":"MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields","details":"Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.\n\nIn affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context.\n\nThe fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned.","modified":"2026-07-08T08:13:47.105633548Z","published":"2026-06-22T11:43:02.690Z","database_specific":{"cna_assigner":"CIRCL","cwe_ids":["CWE-639"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56422.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56422.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-56422"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/00b2e3dae56fa24ea750eb525cc4709b7e5bee85"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/025f711506850aadb69cde1b57e5e5d57628c87f"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/05aad418c57bb78e6b58a843d70d45de8f50db45"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/2cc26f38f3e85c594957899f09043d5193146607"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/3ff6bd9cfdab5d41b4667ea7298d88ffd6f3fcb8"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/57433015815e59db5a1f11536f90920952cf3fcd"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/58f637aaab4d133e72f1454ebb963191d96d3b78"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/634f1f87c295193486c08c2c7ba1fee8a7339baa"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/63aebc27a878233b9475c742985aaef909bc755b"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/7acf8220cafac58bcfb362da37aca512fe4bb396"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/8311427c2edd72a8341f0a65e1f11073d7ad9191"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/84bafe69f5d0ab7f811371c0801a613f271ebc0b"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/9341690e9b6dde7f0605edea5533e05ba7362e35"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/ab9619dfa6cb5210fd20fb3b0b57006e4fc93916"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/bc182d55dde5686a36ca2eb88fe6c2adabb9fad9"},{"type":"FIX","url":"https://github.com/MISP/MISP/commit/c80a3533b3d787f45f5185a4621cc0f05b0cf2e5"},{"type":"PACKAGE","url":"https://github.com/misp/misp"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/misp/misp","events":[{"introduced":"0"},{"fixed":"00b2e3dae56fa24ea750eb525cc4709b7e5bee85"},{"fixed":"025f711506850aadb69cde1b57e5e5d57628c87f"},{"fixed":"05aad418c57bb78e6b58a843d70d45de8f50db45"},{"fixed":"2cc26f38f3e85c594957899f09043d5193146607"},{"fixed":"3ff6bd9cfdab5d41b4667ea7298d88ffd6f3fcb8"},{"fixed":"57433015815e59db5a1f11536f90920952cf3fcd"},{"fixed":"58f637aaab4d133e72f1454ebb963191d96d3b78"},{"fixed":"634f1f87c295193486c08c2c7ba1fee8a7339baa"},{"fixed":"63aebc27a878233b9475c742985aaef909bc755b"},{"fixed":"7acf8220cafac58bcfb362da37aca512fe4bb396"},{"fixed":"8311427c2edd72a8341f0a65e1f11073d7ad9191"},{"fixed":"84bafe69f5d0ab7f811371c0801a613f271ebc0b"},{"fixed":"9341690e9b6dde7f0605edea5533e05ba7362e35"},{"fixed":"ab9619dfa6cb5210fd20fb3b0b57006e4fc93916"},{"fixed":"bc182d55dde5686a36ca2eb88fe6c2adabb9fad9"},{"fixed":"c80a3533b3d787f45f5185a4621cc0f05b0cf2e5"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2.5.41"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v2.5.37","v2.5.36","v2.5.35","v2.5.34","v2.5.33","v2.5.32","v2.5.31","v2.5.30","v2.5.29","v2.5.28","v2.5.27","v2.5.26","v2.5.25","v2.5.24","v2.5.23","v2.5.22","v2.5.21","v2.5.20","v2.5.19","v2.5.18","v2.5.17","v2.5.16","v2.5.15","v2.5.12","v2.5.14","v2.5.13","v2.5.11","v2.5.10","v2.5.9","v2.5.8","v2.5.7","v2.5.0","v2.4.196","v2.4.195","v2.4.194","v2.4.193","v2.4.192","v2.4.191","v2.4.190","v2.4.189","v2.4.188","v2.4.187","v2.4.186","v2.4.175","v2.4.185","v2.4.183","v2.4.184","v2.4.153","v2.4.152","v2.4.137","v2.4.136","v2.4.134","v2.4.133","v2.4.130","v2.4.128","v2.4.127","v2.4.125","v2.4.123","v2.4.122","v2.4.121","v2.4.120","v2.4.118","v2.4.111","rm","v2.4.110","v2.4.109","codename/tellurium","v2.4.107","v2.4.106","v2.4.102","v2.4.101","v2.4.100","v2.4.98","v2.4.96","v2.4.95","v2.4.94","v2.4.93","v2.4.91","v2.4.89","v2.4.88","v2.4.87","v2.4.86","v2.4.85","v2.4.83","v2.4.82","v2.4.80","v2.4.78","v2.4.65","v2.4.64","v2.4.63","v2.4.62","v2.4.61","v2.4.60","v2.4.59","v2.4.58","v2.4.57","v2.4.56","v2.4.54","v2.4.53","v2.4.52","v2.4.51","v2.4.50","v2.4.48","v2.4.47","v2.4.46","v2.4.45","v2.4.43","v2.4.39","v2.4.38","v2.4.37","v2.4.36","v2.4.35","v2.4.34","v2.4.27","v2.4.26","v2.4.25","v2.4.24","v2.4.23","v2.4.22","v2.4.21","v2.4.20","v2.4.18","v2.4.17","v2.4.16","v2.4.15","v2.4.14","v2.4.13","v2.4.11","v2.4.10","v2.4.9","v2.4.7","v2.4.5","v2.4.4","v2.4.3","v2.4.2","v2.4.1","v2.4.0","v2.3.0","v0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56422.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}