CVE-2026-9084

MEDIUM

MISP OIDC authentication bypass via automatic email-based account linking under insecure IdP configurations

Title source: cna

Description

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.

References (1)

Core 1

Core References

Patch patch

https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172

View Patch ZIP pw:eip

Scores

CVSS v4 6.0

EPSS 0.0018

EPSS Percentile 7.9%

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (1)

misp/misp 2.5.0 - 2.5.37

Published May 20, 2026

Tracked Since May 20, 2026