CVE-2026-9084
MEDIUM 6MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.
NO EXPLOITATION SIGNALS
No known exploitation, public exploit, or elevated probability at this time. Track for changes.
Exploitation likelihood
0.2%chance of exploitation in 30 days · 8th percentile
○ In CISA KEV
○ Public exploit / PoC
Impact if exploited
6CVSS 4.0 · MEDIUM
- ConfidentialityHigh
- IntegrityNone
- AvailabilityNone
What an attacker needs
- ⚠Access: Must sit on the same / adjacent network
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ⚠Complexity: Needs a race window or specific setup
- ⚠Requirements: Specific conditions must be present
✓ lowers the bar for an attacker · ⚠ raises it
Weakness (CWE)
- CWE-287: Improper authentication
CVSS vector
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N