CVE-2026-56446

Authenticated Remote Code Execution via Arbitrary NDJSON Error Log Path in MISP

Assigner: CIRCL
Reserved: 22.06.2026 Published: 22.06.2026 Updated: 22.06.2026

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a web-accessible directory and inject PHP code through logged data. Accessing the resulting file could lead to remote code execution with the privileges of the web server process.

The fix restricts log destinations to existing directories beneath APP/tmp/logs or /var/log, requires absolute paths, rejects stream wrappers and traversal-related input, and limits filenames to .log or .ndjson extensions while disallowing executable extension segments.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	High	Integrity	High	Integrity	High
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	misp
Product	misp
Versions	Default: unaffected affected from 0 to 2.5.41 (incl.)

Vendor

misp

Product

misp

Versions

Default: unaffected

affected from 0 to 2.5.41 (incl.)

Credits

Jeroen Pinoy finder
Jakub Chyliński finder
Andras Iklody remediation developer

References

Problem Types

CWE-94 Improper Control of Generation of Code ('Code Injection') CWE

Impacts

CAPEC-242 Code Injection