CVE-2026-60124
MISP importModule missing authorization allows read-only users to modify events via misp_standard imports
An authorization bypass in MISP’s EventsController::importModule() allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the misp_standard format, the write path did not verify event modification rights before saving the module output. This could allow a view-only user to inject or alter event data, impacting the integrity of MISP event content. The issue was fixed by enforcing the same modification-rights check used by related module result handling paths before processing misp_standard imports.
| CWE | CWE-862 |
| Vendor | misp |
| Product | misp |
| Published | Jul 8, 2026 |
| Last Updated | Jul 8, 2026 |
Get instant alerts for misp misp
Be the first to know when new unknown vulnerabilities affecting misp misp are published — delivered to Slack, Telegram or Discord.