CVE-2026-9084 PUBLISHED

MISP OIDC authentication bypass via automatic email-based account linking under insecure IdP configurations

Assigner: CIRCL
Reserved: 20.05.2026 Published: 20.05.2026 Updated: 20.05.2026

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	High	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	misp
Product	misp
Versions	Default: unaffected affected from 2.5.0 to 2.5.37 (incl.)

Credits

Ali Ganiyev finder
Luciano Righetti remediation developer

References

https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172

Problem Types

CWE-287 Improper Authentication CWE

Impacts

CAPEC-115 Authentication Bypass