CVE-2026-56422

CRITICALPre-NVD 9.49.4
EchelonGraph scoreMEDIUM confidence

This critical-severity CVE scores 9.4 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.4%, top 72% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:circl, epss
Trending — 3 sources updated this week
9.4
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 9.4Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, and related nested object identifiers) without consistently stripping, pinning, or revalidating them against the server-authorized object.

In affected paths, an authenticated user with access to one authorized object could submit crafted REST or form payloads that caused MISP to save data against a different object than the one checked by the authorization logic. Depending on the endpoint, this could allow object overwrite, object re-parenting, ownership transfer, unauthorized sharing-group scoping, event/object injection, proposal retargeting, or stored attacker-controlled content appearing in another user’s context.

The fixes harden affected create/edit/import flows by stripping client-supplied primary keys on create-only saves, re-pinning route- or database-authorized identifiers before save operations, validating effective sharing-group scope, and adding field whitelists where ownership fields must never be editable. The initial broad fix also added a central CRUDComponent::edit() primary-key re-pin so payload-supplied IDs cannot redirect saves away from the already-authorized row. GitHub’s patch for 7acf8220c describes this central issue as CRUDComponent::edit() copying supplied fields, including a payload primary key, onto the loaded record, allowing CakePHP save() to update an arbitrary row unless the loaded ID is re-pinned.

CVSS v3
9.4
EG Score
9.4(medium)
EPSS
28.3%
KEV
Not listed

Published

June 22, 2026

Last Modified

June 23, 2026

Advisory Details (10)

Auto-updated Jun 22, 2026
Patch available. Sources: github_commit.
github_commit Patch Available

commit 7acf8220cafa (MISP/MISP)

Patch available: MISP/MISP v2.5.42 (contains commit 7acf8220cafa)

https://github.com/MISP/MISP/commit/7acf8220cafac58bcfb362da37aca512fe4bb396
github_commit Patch Available

commit 63aebc27a878 (MISP/MISP)

Patch available: MISP/MISP v2.5.42 (contains commit 63aebc27a878)

https://github.com/MISP/MISP/commit/63aebc27a878233b9475c742985aaef909bc755b
github_commit Patch Available

commit 634f1f87c295 (MISP/MISP)

Patch available: MISP/MISP v2.5.42 (contains commit 634f1f87c295)

https://github.com/MISP/MISP/commit/634f1f87c295193486c08c2c7ba1fee8a7339baa
github_commit Patch Available

commit 58f637aaab4d (MISP/MISP)

Patch available: MISP/MISP v2.5.42 (contains commit 58f637aaab4d)

https://github.com/MISP/MISP/commit/58f637aaab4d133e72f1454ebb963191d96d3b78
github_commit Patch Available

commit 57433015815e (MISP/MISP)

Patch available: MISP/MISP v2.5.42 (contains commit 57433015815e)

https://github.com/MISP/MISP/commit/57433015815e59db5a1f11536f90920952cf3fcd
github_commit Patch Available

commit 3ff6bd9cfdab (MISP/MISP)

Patch available: MISP/MISP v2.5.42 (contains commit 3ff6bd9cfdab)

https://github.com/MISP/MISP/commit/3ff6bd9cfdab5d41b4667ea7298d88ffd6f3fcb8
github_commit Patch Available

commit 2cc26f38f3e8 (MISP/MISP)

Patch available: MISP/MISP v2.5.42 (contains commit 2cc26f38f3e8)

https://github.com/MISP/MISP/commit/2cc26f38f3e85c594957899f09043d5193146607
github_commit Patch Available

commit 05aad418c57b (MISP/MISP)

Patch available: MISP/MISP v2.5.42 (contains commit 05aad418c57b)

https://github.com/MISP/MISP/commit/05aad418c57bb78e6b58a843d70d45de8f50db45
github_commit Patch Available

commit 025f71150685 (MISP/MISP)

Patch available: MISP/MISP v2.5.42 (contains commit 025f71150685)

https://github.com/MISP/MISP/commit/025f711506850aadb69cde1b57e5e5d57628c87f
github_commit Patch Available

commit 00b2e3dae56f (MISP/MISP)

Patch available: MISP/MISP v2.5.42 (contains commit 00b2e3dae56f)

https://github.com/MISP/MISP/commit/00b2e3dae56fa24ea750eb525cc4709b7e5bee85

Vendor Advisories for CVE-2026-56422(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 96× in last 7d / 199× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

Showing the most recent 100 of 199 total refreshes for this CVE.

  1. 2026-07-07 08:14 UTCEG score recompute
  2. 2026-07-07 08:14 UTCGHSA enrichment
  3. 2026-07-07 04:21 UTCEG score recompute
  4. 2026-07-07 04:20 UTCGHSA enrichment
  5. 2026-07-07 00:21 UTCEG score recompute
  6. 2026-07-07 00:21 UTCGHSA enrichment
  7. 2026-07-06 20:29 UTCEG score recompute
  8. 2026-07-06 20:29 UTCGHSA enrichment
  9. 2026-07-06 16:33 UTCEG score recompute
  10. 2026-07-06 16:33 UTCGHSA enrichment
  11. 2026-07-06 16:27 UTCEPSS rescore
  12. 2026-07-06 16:27 UTCEPSS rescore
  13. 2026-07-06 12:31 UTCEG score recompute
  14. 2026-07-06 12:31 UTCGHSA enrichment
  15. 2026-07-06 08:39 UTCEG score recompute
  16. 2026-07-06 08:39 UTCGHSA enrichment
  17. 2026-07-06 04:37 UTCEG score recompute
  18. 2026-07-06 04:37 UTCGHSA enrichment
  19. 2026-07-06 02:23 UTCEPSS rescore
  20. 2026-07-06 02:23 UTCEPSS rescore
  21. 2026-07-06 00:45 UTCEG score recompute
  22. 2026-07-06 00:45 UTCGHSA enrichment
  23. 2026-07-05 20:53 UTCEG score recompute
  24. 2026-07-05 20:53 UTCGHSA enrichment
  25. 2026-07-05 16:58 UTCEG score recompute
Show 75 more
  1. 2026-07-05 16:58 UTCGHSA enrichment
  2. 2026-07-05 13:06 UTCEG score recompute
  3. 2026-07-05 13:06 UTCGHSA enrichment
  4. 2026-07-05 09:14 UTCEG score recompute
  5. 2026-07-05 09:14 UTCGHSA enrichment
  6. 2026-07-05 05:20 UTCEG score recompute
  7. 2026-07-05 05:20 UTCGHSA enrichment
  8. 2026-07-05 02:31 UTCEPSS rescore
  9. 2026-07-05 02:30 UTCEPSS rescore
  10. 2026-07-05 01:22 UTCEG score recompute
  11. 2026-07-05 01:22 UTCGHSA enrichment
  12. 2026-07-04 21:30 UTCEG score recompute
  13. 2026-07-04 21:29 UTCGHSA enrichment
  14. 2026-07-04 17:38 UTCEG score recompute
  15. 2026-07-04 17:37 UTCGHSA enrichment
  16. 2026-07-04 13:44 UTCEG score recompute
  17. 2026-07-04 13:44 UTCGHSA enrichment
  18. 2026-07-04 09:53 UTCEG score recompute
  19. 2026-07-04 09:53 UTCGHSA enrichment
  20. 2026-07-04 06:31 UTCEPSS rescore
  21. 2026-07-04 06:31 UTCEPSS rescore
  22. 2026-07-04 05:59 UTCEG score recompute
  23. 2026-07-04 05:59 UTCGHSA enrichment
  24. 2026-07-04 01:59 UTCEG score recompute
  25. 2026-07-04 01:58 UTCGHSA enrichment
  26. 2026-07-03 22:06 UTCEG score recompute
  27. 2026-07-03 22:05 UTCGHSA enrichment
  28. 2026-07-03 18:12 UTCEG score recompute
  29. 2026-07-03 18:12 UTCGHSA enrichment
  30. 2026-07-03 14:18 UTCEG score recompute
  31. 2026-07-03 14:18 UTCGHSA enrichment
  32. 2026-07-03 10:26 UTCEG score recompute
  33. 2026-07-03 10:26 UTCGHSA enrichment
  34. 2026-07-03 06:30 UTCEG score recompute
  35. 2026-07-03 06:30 UTCGHSA enrichment
  36. 2026-07-03 02:33 UTCEG score recompute
  37. 2026-07-03 02:33 UTCGHSA enrichment
  38. 2026-07-02 22:41 UTCEG score recompute
  39. 2026-07-02 22:41 UTCGHSA enrichment
  40. 2026-07-02 18:50 UTCEG score recompute
  41. 2026-07-02 18:49 UTCGHSA enrichment
  42. 2026-07-02 14:57 UTCEG score recompute
  43. 2026-07-02 14:57 UTCGHSA enrichment
  44. 2026-07-02 11:06 UTCEG score recompute
  45. 2026-07-02 11:06 UTCGHSA enrichment
  46. 2026-07-02 06:44 UTCEG score recompute
  47. 2026-07-02 06:44 UTCGHSA enrichment
  48. 2026-07-02 02:52 UTCEG score recompute
  49. 2026-07-02 02:52 UTCGHSA enrichment
  50. 2026-07-01 23:00 UTCEG score recompute
  51. 2026-07-01 23:00 UTCGHSA enrichment
  52. 2026-07-01 19:08 UTCEG score recompute
  53. 2026-07-01 19:08 UTCGHSA enrichment
  54. 2026-07-01 15:17 UTCEG score recompute
  55. 2026-07-01 15:17 UTCGHSA enrichment
  56. 2026-07-01 15:07 UTCEPSS rescore
  57. 2026-07-01 11:24 UTCEG score recompute
  58. 2026-07-01 11:24 UTCGHSA enrichment
  59. 2026-07-01 07:31 UTCEG score recompute
  60. 2026-07-01 07:31 UTCGHSA enrichment
  61. 2026-07-01 03:39 UTCEG score recompute
  62. 2026-07-01 03:38 UTCGHSA enrichment
  63. 2026-06-30 23:46 UTCEG score recompute
  64. 2026-06-30 23:46 UTCGHSA enrichment
  65. 2026-06-30 23:22 UTCEPSS rescore
  66. 2026-06-30 19:45 UTCEG score recompute
  67. 2026-06-30 19:45 UTCGHSA enrichment
  68. 2026-06-30 15:53 UTCEG score recompute
  69. 2026-06-30 15:53 UTCGHSA enrichment
  70. 2026-06-30 11:59 UTCEG score recompute
  71. 2026-06-30 11:59 UTCGHSA enrichment
  72. 2026-06-30 08:06 UTCEG score recompute
  73. 2026-06-30 08:06 UTCGHSA enrichment
  74. 2026-06-30 04:14 UTCEG score recompute
  75. 2026-06-30 04:14 UTCGHSA enrichment

Frequently asked(5)

What is CVE-2026-56422?
CVE-2026-56422 is a critical vulnerability published on June 22, 2026. Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys (id) and ownership/scope foreign keys (eventid, orgid, userid, sharinggroupid, galaxyclusteruuid, organisationuuid, and related nested object identifiers) without consistently…
When was CVE-2026-56422 disclosed?
CVE-2026-56422 was first published in the National Vulnerability Database on June 22, 2026, with the most recent update on June 23, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-56422 actively exploited?
CVE-2026-56422 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 28.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-56422?
CVE-2026-56422 has a CVSS v4.0 base score of 9.4 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-56422?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-56422, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-56422

Explore →

Is Your Infrastructure Affected by CVE-2026-56422?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.