CVE-2026-54396— MISP AuthKey编辑端点允许已认证用户枚举邮箱
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-54396の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
MISP AuthKey edit endpoint allows authenticated user email enumeration
ソース: NVD (National Vulnerability Database)
脆弱性説明
An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body.
ソース: NVD (National Vulnerability Database)
CVSS情報
N/A
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
信息暴露
ソース: NVD (National Vulnerability Database)
影響を受ける製品
II. CVE-2026-54396の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-54396のインテリジェンス情報
请登录查看更多情报信息。
CVE-2026-54396 补丁与修复 (1)
Same Patch Batch · misp · 2026-06-12 · 12 CVEs total
| CVE-2026-54358 | MISP organization administrators can target site administrator accounts for password reset | |
| CVE-2026-54362 | MISP template builder exposes non-visible custom galaxies across organisations | |
| CVE-2026-54359 | MISP automation endpoints may be exposed to CSRF when Sec-Fetch-Site protection is disable | |
| CVE-2026-54398 | MISP object edit authorization bypass allows unauthorized sharing group assignment | |
| CVE-2026-54394 | MISP organisation logo path traversal allows retrieval of arbitrary PNG/SVG files | |
| CVE-2026-54357 | MISP improper authorization allows organization administrators to modify site administrato | |
| CVE-2026-54393 | MISP Overmind theme stored XSS via unvalidated homepage setting | |
| CVE-2026-54395 | MISP UiBeta event index reflected XSS in advanced filter popup | |
| CVE-2026-54397 | MISP event editing allows unauthorized assignment to undisclosed sharing groups | |
| CVE-2026-54360 | MISP sharing group creation mass assignment allows unauthorized takeover of existing shari | |
| CVE-2026-54361 | MISP mass assignment vulnerabilities allow unauthorized modification of ownership and dele |
IV. 関連脆弱性
同じ製品: misp
- CVE-2026-54398
MISP object edit authorization bypass allows unauthorized sh - CVE-2026-54397
MISP event editing allows unauthorized assignment to undiscl - CVE-2026-54395
MISP UiBeta event index reflected XSS in advanced filter pop - CVE-2026-54394
MISP organisation logo path traversal allows retrieval of ar - CVE-2026-54393
MISP Overmind theme stored XSS via unvalidated homepage sett
同じベンダー: misp
- CVE-2026-54398
MISP object edit authorization bypass allows unauthorized sh - CVE-2026-54397
MISP event editing allows unauthorized assignment to undiscl - CVE-2026-54395
MISP UiBeta event index reflected XSS in advanced filter pop - CVE-2026-54394
MISP organisation logo path traversal allows retrieval of ar - CVE-2026-54393
MISP Overmind theme stored XSS via unvalidated homepage sett
同じ弱点: CWE-200
- CVE-2026-49397
Nezha Monitoring: Private services (`EnableShowInService: fa - CVE-2026-47124
Nezha WebSocket server stream discloses cross-tenant server - CVE-2026-47264
Discourse: Don't leak restricted tag group names via tag inf - CVE-2026-47263
Discourse: Prevent webhook payload disclosure on event redel - CVE-2026-44785
Discourse: Hidden reply-to post raw can be disclosed through
V. CVE-2026-54396へのコメント
まだコメントはありません