CVE-2026-9136— Unauthorized ShadowAttribute modification in MISP via client-supplied identifier

Unauthorized ShadowAttribute modification in MISP via client-supplied identifier

A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a new proposal. This can result in unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user should not be able to alter. Depending on deployment configuration and accessible API responses, the issue may also expose or move proposal data across event contexts. The vulnerability is caused by trusting a client-supplied primary key during object creation. The fix removes the id field from incoming ShadowAttribute data before processing, ensuring that the endpoint always creates a new proposal rather than updating an existing one. This has been fixed in MISP 2.5.38.

N/A

通过用户控制密钥绕过授权机制

MISP 安全漏洞

MISP是MISP开源的一套开源的软件解决方案。该产品用于收集、存储、分发、共享网络安全指标，并具有威胁网络安全事件分析和恶意软件分析等功能。 MISP 2.5.38之前版本存在安全漏洞，该漏洞源于ShadowAttribute提案创建工作流中未移除id字段，可能导致认证用户提交影子属性提案时更新现有记录而非创建新提案，造成未经授权修改现有影子属性。

N/A

N/A