CVE-2026-54396

MISP AuthKey edit endpoint allows authenticated user email enumeration

Assigner: CIRCL
Reserved: 12.06.2026 Published: 12.06.2026 Updated: 12.06.2026

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	misp
Product	misp
Versions	Default: unaffected affected from 0 to 2.5.40 (excl.)

Vendor

misp

Product

misp

Versions

Default: unaffected

affected from 0 to 2.5.40 (excl.)

Credits

Jeroen Pinoy finder
Andras Iklody remediation developer

References

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE

Impacts

CAPEC-54 Query System for Information