CVE-2026-44380
HIGHMISP: Improper access control in auth key reset allows privilege escalation to site administrator
Title source: cnaDescription
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. This vulnerability is fixed in 2.5.37.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/MISP/MISP/security/advisories/GHSA-3939-4g6m-m3hc
Scores
CVSS v3
7.2
EPSS
0.0040
EPSS Percentile
31.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (2)
misp/misp
< 2.5.37
MISP/MISP
< 2.5.37
Published
May 13, 2026
Tracked Since
May 14, 2026