CVE-2026-10855: MISP Event Template Authorization Flaw – Patch Guidance
MISP, a threat intelligence platform, contained an authorization flaw in its event template import feature. When an authenticated user attempted to overwrite an existing event template, the system verified that a template with that name existed but failed to check whether the importing user's organization actually owned it. This allowed users from one organization to forcibly overwrite event templates belonging to other organizations. The flaw only affected non-administrator users; site administrators retained the ability to manage templates across organizational boundaries by design. The vulnerability has been remediated by adding an ownership verification step before permitting any template overwrite operation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-22
NVD description (verbatim)
An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcibly overwrite an event template owned by another organization. Successful exploitation could allow unauthorized modification of another organization’s event template, potentially altering template structure, attributes, or metadata used for subsequent event creation or sharing workflows. Site administrators are not affected by this restriction, as they are explicitly allowed to overwrite templates across organizations. The issue was fixed by enforcing an ownership check before overwrite: non-site-admin users may only overwrite templates owned by their own organization.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10855 is a broken authorization vulnerability in MISP's Event Template Importer affecting the overwrite workflow. The root cause is a missing authorization check in the template replacement logic: the application performed an existence check on the target template but omitted verification that the requesting user belonged to the template owner's organization. The vulnerability is classified as CWE-862 (Missing Authorization) and assigned CVSS v3.1 score 4.3 (MEDIUM severity, with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). The flaw requires network access, low complexity, authenticated user privileges, and results in integrity impact without confidentiality or availability loss. Exploitation modifies the template but does not alter other resources. The fix enforces organizational ownership validation for non-administrative accounts before permitting overwrites.
Business impact
Organizations using MISP for collaborative threat intelligence sharing face operational and data integrity risk. An attacker with legitimate access to MISP could compromise the reliability of event templates maintained by partner organizations, potentially degrading the quality of threat data workflows, alert templates, or sharing rule sets. If templates are used to automate event correlation or enrichment, malicious modifications could cause downstream analysis errors or false positives. The impact is contained to template structure and metadata rather than event data itself, and administrative oversight can detect and restore tampered templates. However, undetected modifications could silently degrade intelligence quality over time, particularly in environments with many inter-organizational template dependencies.
Affected systems
The vulnerability affects MISP (Malware Information Sharing Platform) as distributed by the MISP Project. All versions prior to the patched release are potentially impacted. Site administrators and super-users are not affected, as they have explicit cross-organizational template management permissions. Only non-administrator authenticated users with access to the template import feature can trigger the flaw. Organizations with single-organization deployments or those that restrict template import privileges to administrators only face lower exposure.
Exploitability
Exploitation requires an active MISP user account and network access to the template import interface. The attack vector is network-based, complexity is low (no special conditions or race conditions required), and authentication is mandatory. An attacker cannot exploit this anonymously or remotely without valid credentials. Once authenticated, the attacker can use the standard template import UI to overwrite any template name, regardless of organizational ownership. No user interaction or special technical skill is needed beyond knowledge of the target template identifier. The attack is deterministic and leaves audit traces in import logs, making detection feasible if logs are monitored. The relatively straightforward exploitation path is partially offset by the requirement for valid user credentials and the medium severity rating reflecting limited direct impact scope.
Remediation
Update MISP to a patched version that implements organizational ownership validation in the template overwrite workflow. The vendor fix enforces a check confirming that the importing user's organization matches the owning organization of the target template before any overwrite is permitted. Non-administrative users cannot bypass this check. Site administrators retain their cross-organizational permissions. After patching, verify that template import functionality operates normally and that cross-organization template access is restricted as intended. Organizations should review template import audit logs for the period prior to patching to identify any unauthorized overwrites, then restore affected templates from backups if needed.
Patch guidance
Consult the MISP Project security advisories and release notes for the specific patched version addressing CVE-2026-10855. The fix is expected to be included in a maintenance release following the vulnerability publication date of June 4, 2026 (modified June 22, 2026). Apply patches through the standard MISP update mechanism, which typically involves pulling the latest source from the project repository or installing via package manager if available. Test the patched version in a non-production environment to confirm that legitimate template imports and overwrites by authorized users continue to function. Verify that cross-organization overwrites are now blocked for non-administrators. Coordinate patching with dependent systems that may rely on template synchronization across MISP instances.
Detection guidance
Monitor MISP's template import audit logs for unusual patterns: overwrites of templates by users whose organization does not match the template owner, or repeated failed import attempts. Inspect the MISP database directly for templates with modification timestamps that do not correlate with known legitimate import activities. Compare template versions across time to identify unexpected structural changes, attribute additions, or metadata alterations. Set alerts on failed authorization checks if MISP exposes such events in its logging framework. For organizations with federated MISP instances, track synchronization events to detect if malicious templates propagated between instances. Review user account activity to identify accounts that accessed the template import feature outside normal operational windows or with unusual frequency.
Why prioritize this
This vulnerability merits timely but not emergency patching. The MEDIUM severity rating reflects the requirement for authenticated access and limited scope of impact (template metadata modification only, not event data or system availability). However, the flaw directly undermines trust in multi-organization threat intelligence collaboration, and undetected template manipulation could silently degrade analysis quality. Organizations that share MISP templates across organizational boundaries should prioritize patching within standard maintenance windows. Those with single-organization deployments or restricted template import privileges may defer patching slightly but should not neglect it, as insider threats or compromised user accounts could still exploit the flaw. The lack of CISA KEV status indicates no active exploitation in the wild as of the vulnerability publication date.
Risk score, explained
CVE-2026-10855 receives a CVSS v3.1 score of 4.3 (MEDIUM) based on: network-accessible attack surface, low complexity of exploitation, mandatory authentication (reducing casual abuse), and integrity impact limited to template objects without affecting confidentiality or availability. The score reflects realistic attack scenarios where organizational trust boundaries are meaningful in MISP deployments. The relatively lower score appropriately captures that template tampering, while damaging, does not directly compromise event data, system uptime, or user credentials. Organizations with high operational reliance on template integrity or those managing sensitive threat feeds may assign higher internal risk scores to reflect business context.
Frequently asked questions
Can an attacker exploit this vulnerability to steal threat intelligence data or modify events?
No. The vulnerability is confined to unauthorized modification of template metadata and structure. Actual threat intelligence events, indicators, and attributes are not directly affected. An attacker could alter how future events are created from a compromised template, but cannot read or modify existing event data through this flaw.
Does patching disrupt legitimate cross-organization template sharing in MISP?
No. Patching enforces ownership checks only for non-administrative users. Site administrators and accounts with appropriate role-based permissions retain the ability to manage templates across organizations as designed. Legitimate template imports within an organization are unaffected.
How can we identify if our MISP instance was compromised via this vulnerability before we patch?
Review template import logs and database audit trails for the period before patching. Look for templates modified by users whose organization does not own them, or unexpected changes to template structure, attributes, or metadata. Compare template versions over time and correlate with user account activity and import timestamps.
Is this vulnerability actively exploited in the wild?
As of the vulnerability publication date (June 4, 2026), this vulnerability is not tracked in CISA's Known Exploited Vulnerabilities catalog, indicating no confirmed active exploitation detected in the wild at that time. However, organizations should not rely on lack of known exploitation as a reason to delay patching.
This analysis is provided for informational purposes and represents the state of knowledge as of the vulnerability publication date. SEC.co makes no warranty regarding the accuracy, completeness, or fitness of this information. Organizations must independently verify patch availability, compatibility, and deployment procedures with the MISP Project vendor advisories and their own security teams. Exploitation scenarios described are representative; actual impact depends on deployment architecture, access controls, and monitoring posture. This document does not constitute security advice or a substitute for professional incident response or threat assessment. Security leaders should validate all remediation steps in controlled environments before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-12714MEDIUMRank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUMMissing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUMMissing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUMMissing Authorization in ThimPress Thim Core 2.3.3
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-27351MEDIUMMissing Authorization in Sekander Badsha Crew HRM—Patch Guidance & Risk Analysis
- CVE-2026-41014MEDIUMApache Airflow Unauthorized DAG Access via Asset Permissions