A critical authorization flaw in MISP allows authenticated users to manipulate and overwrite unauthorized data, potentially compromising the integrity of sensitive threat intelligence.

The vulnerability exists in the core CRUD components where client-controlled request fields, such as primary keys, are not properly re-pinned or validated against authorized objects. An authenticated attacker can manipulate REST/form payloads to perform unauthorized object overwrites, re-parenting, or ownership transfers.

With a CVSS score of 9.4, this vulnerability represents a severe threat to data integrity. Unauthorized modification of threat intelligence objects can lead to the corruption of security feeds, the redirection of sensitive events, or the injection of malicious content into shared threat intelligence databases, significantly undermining the trust and utility of the MISP platform.

Immediate Action: Update the MISP instance to the latest version provided by the vendor to implement the CRUDComponent::edit() primary-key re-pinning and field validation fixes.

Proactive Monitoring: Review audit logs for suspicious object modification activity, specifically looking for unexpected changes in ownership fields or unauthorized updates to primary keys.

Compensating Controls: Restrict API access to trusted users and implement strict network segmentation to limit the potential impact of an account compromise.

Public Exploit Available: false

Security teams must treat this authorization bypass as a high-priority update. The vulnerability allows for significant data manipulation that could persist undetected, making immediate patching essential to maintain the integrity of intelligence sharing workflows.