← All CVEs

CVE-2026-54362

MEDIUM 5.3

Published 2026-06-12 · Last modified 2026-06-15

An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users.

NO EXPLOITATION SIGNALS

No known exploitation, public exploit, or elevated probability at this time. Track for changes.

Exploitation likelihood

0.2%chance of exploitation in 30 days · 11th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

5.3CVSS 4.0 · MEDIUM

  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: Requires a low-privilege account
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable
  • Requirements: No special attack requirements

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Misp

Products Misp

Weakness (CWE)

  • CWE-863: Incorrect authorization

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Sources: NVD · CVE.org · EPSS