GCVE-1-2026-0016

Vulnerability from gna-1 – Published: 2026-02-27 10:56 – Updated: 2026-02-27 10:56
VLAI?
Title
Server-Side Request Forgery via Event Report Import From URL in MISP
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the Event Report import from URL functionality of MISP prior to the fix introduced in commit `71fb543a1929de73a53a8ce645cb446f684ec243`. The `importReportFromUrl` endpoint allowed authenticated users with sufficient privileges to instruct the MISP server to fetch content from arbitrary URLs without explicit administrator opt-in. Because requests were performed by the server itself, an attacker could cause the application to initiate HTTP requests to internal or otherwise restricted network resources. This behavior could allow access to internal services reachable from the MISP host, potentially exposing sensitive information or enabling further network pivoting. The issue has been addressed by gating the functionality behind a new configuration setting: The feature is now disabled by default and must be explicitly enabled by an administrator. Additional UI and server-side checks were added to prevent access when the setting is not enabled.
Severity ?
7 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:L/SI:H/SA:H
CWE
  • CWE-20 - Improper Input Validation
Assigner
References
Impacted products
Vendor Product Version
misp misp Affected: ≤ 2.5.32
Create a notification for this product.
Credits
Sami Mokaddem (aka Graphman) Maxime ESCOURBIAC from Michelin CERT
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "misp",
          "vendor": "misp",
          "versions": [
            {
              "lessThanOrEqual": "2.5.32",
              "status": "affected"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Sami Mokaddem"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Maxime ESCOURBIAC from Michelin CERT"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A Server-Side Request Forgery (SSRF) vulnerability exists in the\u0026nbsp;\u003ci\u003eEvent Report import from URL\u003c/i\u003e functionality of MISP prior to the fix introduced in commit `\u003ctt\u003e71fb543a1929de73a53a8ce645cb446f684ec243\u003c/tt\u003e`.\u003cbr\u003e\u003cbr\u003eThe `\u003ctt\u003eimportReportFromUrl\u003c/tt\u003e` endpoint allowed authenticated users with sufficient privileges to instruct the MISP server to fetch content from arbitrary URLs without explicit administrator opt-in. Because requests were performed by the server itself, an attacker could cause the application to initiate HTTP requests to internal or otherwise restricted network resources.\u003cbr\u003e\u003cbr\u003eThis behavior could allow access to internal services reachable from the MISP host, potentially exposing sensitive information or enabling further network pivoting.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eThe issue has been addressed by gating the functionality behind a new configuration setting:\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe feature is now disabled by default and must be explicitly enabled by an administrator. Additional UI and server-side checks were added to prevent access when the setting is not enabled.\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "A Server-Side Request Forgery (SSRF) vulnerability exists in the\u00a0Event Report import from URL functionality of MISP prior to the fix introduced in commit `71fb543a1929de73a53a8ce645cb446f684ec243`.\n\nThe `importReportFromUrl` endpoint allowed authenticated users with sufficient privileges to instruct the MISP server to fetch content from arbitrary URLs without explicit administrator opt-in. Because requests were performed by the server itself, an attacker could cause the application to initiate HTTP requests to internal or otherwise restricted network resources.\n\nThis behavior could allow access to internal services reachable from the MISP host, potentially exposing sensitive information or enabling further network pivoting.\n\nThe issue has been addressed by gating the functionality behind a new configuration setting:\n\n\n\n\nThe feature is now disabled by default and must be explicitly enabled by an administrator. Additional UI and server-side checks were added to prevent access when the setting is not enabled."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:L/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "orgId": "00000000-0000-4000-9000-000000000000"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/MISP/MISP/commit/71fb543a1929de73a53a8ce645cb446f684ec243"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Server-Side Request Forgery via Event Report Import From URL in MISP",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
    "datePublished": "2026-02-27T10:56:32.745676Z",
    "dateUpdated": "2026-02-27T10:56:32.745676Z",
    "requesterUserId": "00000000-0000-4000-9000-000000000000",
    "serial": 1,
    "state": "PUBLISHED",
    "vulnId": "gcve-1-2026-0016",
    "vulnerabilitylookup_history": [
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-02-27T10:56:32.745676Z"
      ]
    ]
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.