Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-56423

Gravedad CVSS v4.0:
CRÍTICA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
22/06/2026
Última modificación:
23/06/2026

Descripción

*** Pendiente de traducción *** MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object.<br /> <br /> For Event Reports, EventReportsController::deleteSelection relied on the global perm_add capability rather than a per-report ownership/authorization check. As a result, a contributor-level user could submit report IDs or UUIDs for reports belonging to other organisations and hard-delete them instance-wide. The fix changed the callback to call EventReport::fetchIfAuthorized($user, $itemId, &amp;#39;delete&amp;#39;) for each selected report before deletion.<br /> <br /> <br /> <br /> <br /> For Sharing Groups, SharingGroupsController::deleteSelection relied on the global perm_sharing_group capability rather than verifying ownership of each selected sharing group. This allowed a sharing-group-capable user to hard-delete sharing groups owned by other organisations, bypassing the per-object ownership gate used by the single-object delete action. The fix changed the callback to call SharingGroup::checkIfOwner($user, $itemId) for each selected sharing group.<br /> <br /> <br /> <br /> <br /> An authenticated attacker with the relevant broad role permission could abuse the affected bulk deletion endpoints to delete objects outside their organisation’s authorization scope, causing loss of event-report content or sharing-group configuration across the instance.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:* 2.5.42 (excluyendo)