[{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.42", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Sami Mokaddem"}, {"lang": "en", "type": "finder", "value": "Berk Polat"}, {"lang": "en", "type": "remediation reviewer", "value": "Claude Opus 4.8 (1M context) aka Claudy"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>MISP\u2019s <code>importModule()</code> path used <code>getEnabledModule()</code> to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by <code>getEnabledModules()</code>. As a result, an authenticated user from an organisation that was not allowed to use a module restricted via <code>Plugin.Import_&lt;module&gt;_restrict</code> could still invoke that import module directly if they knew its name.</p>\n<p>This could allow unauthorised access to restricted import-module functionality and, depending on the module and the user\u2019s event permissions, may allow unauthorised import or modification of event data through a module that should have been unavailable to the user\u2019s organisation.</p><br>"}], "value": "MISP\u2019s importModule() path used getEnabledModule() to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by getEnabledModules(). As a result, an authenticated user from an organisation that was not allowed to use a module restricted via Plugin.Import_<module>_restrict could still invoke that import module directly if they knew its name.\n\n\nThis could allow unauthorised access to restricted import-module functionality and, depending on the module and the user\u2019s event permissions, may allow unauthorised import or modification of event data through a module that should have been unavailable to the user\u2019s organisation."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:L", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/0ed79b4d3177f4b9e44040962161a1a436d2587d"}], "source": {"discovery": "UNKNOWN"}, "title": "importModule function in MISP ignores per-organisation import module restrictions", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20112"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20112", "datePublished": "2026-07-08T13:36:15.651888Z", "dateUpdated": "2026-07-08T13:36:48.095956Z", "cveId": "CVE-2026-60125", "dateReserved": "2026-07-08T13:36:48.024Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}, {"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "misp", "repo": "https://github.com/misp/misp", "vendor": "misp", "versions": [{"lessThanOrEqual": "2.5.42", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "remediation developer", "value": "Sami Mokaddem"}, {"lang": "en", "type": "finder", "value": "Berk Polat"}, {"lang": "en", "type": "remediation reviewer", "value": "Claude Opus 4.8 (1M context) aka Claudy"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>An authorization bypass in MISP\u2019s <code>EventsController::importModule()</code> allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the <code>misp_standard</code> format, the write path did not verify event modification rights before saving the module output. This could allow a view-only user to inject or alter event data, impacting the integrity of MISP event content. The issue was fixed by enforcing the same modification-rights check used by related module result handling paths before processing <code>misp_standard</code> imports.</div><div><br></div>"}], "value": "An authorization bypass in MISP\u2019s EventsController::importModule() allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the misp_standard format, the write path did not verify event modification rights before saving the module output. This could allow a view-only user to inject or alter event data, impacting the integrity of MISP event content. The issue was fixed by enforcing the same modification-rights check used by related module result handling paths before processing misp_standard imports."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-9000-000000000000"}, "references": [{"tags": ["patch"], "url": "https://github.com/MISP/MISP/commit/d0725fc34fda256cc57e5a8f0543cd541033e008"}], "source": {"discovery": "UNKNOWN"}, "title": "MISP importModule missing authorization allows read-only users to modify events via misp_standard imports", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_gcve": [{"recordType": "advisory", "vulnId": "gcve-1-2026-20004"}]}}, "cveMetadata": {"assignerOrgId": "00000000-0000-4000-9000-000000000000", "requesterUserId": "00000000-0000-4000-9000-000000000000", "serial": 1, "state": "PUBLISHED", "vulnId": "gcve-1-2026-20004", "datePublished": "2026-07-08T13:29:57.644210Z", "dateUpdated": "2026-07-08T13:30:08.436075Z", "cveId": "CVE-2026-60124", "dateReserved": "2026-07-08T13:30:08.370Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}]
