Broken Access Control in Bulk Deletion Operations

MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For Event Reports, EventReportsController::deleteSelection relied on the global perm_add capability rather than a per-report ownership/authorization check. As a result, a contributor-level user could submit report IDs or UUIDs for reports belonging to other organisations and hard-delete them instance-wide. The fix changed the callback to call EventReport::fetchIfAuthorized($user, $itemId, 'delete') for each selected report before deletion. For Sharing Groups, SharingGroupsController::deleteSelection relied on the global perm_sharing_group capability rather than verifying ownership of each selected sharing group. This allowed a sharing-group-capable user to hard-delete sharing groups owned by other organisations, bypa

Casky was already ahead

This CVE exploits attack patterns that Casky's 283matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

CVE-2026-56423 represents a critical authorization bypass vulnerability in MISP Core's bulk deletion handlers for Event Reports and Sharing Groups. The vulnerability stems from inadequate access-control validation in the deleteSelection flows, where authorization checks rely on broad role-level permissions rather than per-object ownership validation. This means a contributor-level user can delete Event Reports they don't own by submitting arbitrary report IDs or UUIDs, effectively allowing unauthorized data destruction across the platform. Organizations deploying MISP for threat intelligence coordination face significant risks of data loss, integrity violations, and potential compliance breaches when malicious or compromised contributor accounts exploit this flaw.

Casky's 283 matching skills leverage Claude's extended reasoning to detect the attack patterns mapped to TA0004 (Privilege Escalation) and TA0006 (Credential Access) by identifying authorization anomalies in bulk operation requests. Practitioners would observe findings highlighting: (1) insufficient per-resource authorization checks preceding deletion operations, (2) reliance on overly permissive capability-based controls that don't account for object ownership, and (3) missing audit trails correlating bulk deletions to specific user sessions. The platform would flag suspicious bulk deletion patterns—such as rapid sequential deletions of reports across different ownership contexts or deletion requests containing object identifiers the requesting user shouldn't have access to—enabling security teams to detect privilege escalation attempts and lateral movement through data manipulation before critical intelligence is lost.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

283 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-56423.

abusing-dpapi-for-credential-access

red teaming · high

Run

abusing-shadow-credentials-for-privesc

red teaming · high

Run

Access with Stolen Session Cookie

identity access management · low

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-56423

Casky has 283 skills that investigate the attack patterns behind CVE-2026-56423. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn