SecuriTricks - CVE-2026-54396

Description

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.

Product(s) Impacted

Vendor	Product	Versions
Misp	Misp	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	misp	misp	/	/	/	/	/	/	/	/

References

https://github.com/MISP/MISP/commit/42737f4e88df801486334690913dd344e447fac3

CVSS Score

5.3 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: NONE
Privileges Required: LOW
User Interaction: NONE
Scope:
Confidentiality Impact: LOW
Integrity Impact: NONE
Availability Impact: NONE
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: June 12, 2026, 9:16 p.m.
Last Modified: June 12, 2026, 9:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

5a6e4751-2f3f-4070-9419-94fb35b644e8

CVE-2026-54396