mediumCVE-2026-61474

MISP Attribute Sharing Group Authorization Bypass Vulnerability

An improper authorization check in MISP’s attribute creation endpoint allowed an authenticated user with permission to add attributes to submit a sharing_group_id without triggering the corresponding sharing group authorization check, as long as the attribute distribution value was not explicitly set to 4 — “sharing group”. As a result, a user could reference or associate an attribute with a sharing group they were not authorized to use. This could lead to an access-control bypass affecting the integrity of attribute sharing metadata and potentially expose or misuse restricted sharing group relationships. The patch changes the authorization logic so that the sharing group permission check is performed whenever a non-empty sharing_group_id is provided, regardless of the selected distribution value.

ProductMISP
CVSS5.3
EPSSNot scored yet
UpdatedJuly 9, 2026

Quick answer

MISP Project MISP should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

MISP is affected by an authorization bypass in the attribute creation path where sharing_group_id could be submitted without the expected sharing group permission check. Update MISP to the release containing the patch and review attribute sharing metadata for unauthorized sharing group references. Treat this as an integrity and access-control issue for threat intelligence data, especially in multi-organization MISP communities.

  1. Inventory every MISP instance and identify environments where users can create or import attributes.
  2. Upgrade MISP to the vendor-supported patched release that includes the sharing_group_id authorization fix.
  3. Restrict attribute creation, import, automation, and API permissions to trusted roles until the update is complete.
  4. Review recent attributes for sharing_group_id values associated with groups the submitting user should not be allowed to use.
  5. Audit MISP users, API keys, organizations, sharing groups, distribution values, and automation accounts for unsafe access.
  6. Rotate MISP API keys and integration credentials if unauthorized sharing group use is found.
  7. Rebuild caches and retest synchronization with trusted MISP peers after deploying the fix.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the running MISP version includes the patch for CVE-2026-61474.
  • Validate a non-authorized user cannot submit sharing_group_id for a group they cannot use.
  • Review MISP audit logs and attribute history for unauthorized sharing group references.
  • Test normal attribute creation, import, API, and sync workflows after the upgrade.
  • Run a Fixnx scan and confirm no public MISP administration or API exposure is visible.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-61474?

MISP Project MISP should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.