Broken Access Control in MISP Authorization Checks

MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could cause the application to authorize one object but mutate another, or could modify objects that were merely visible rather than editable by the user’s organization. The affected paths included: * Event Reports tag removal: the route-authorized report could differ from the report ID used for tag detachment, enabling cross-organization tag removal from another event report * Collection Elements bulk deletion: bulk deletion authorized against a collection whose ID matched the collection-element row ID, rather than the element’s actual parent collection, enabling deletion of elements from collections the user did not own. * Analyst Data capture/update: nested analyst data updates cou

Casky was already ahead

This CVE exploits attack patterns that Casky's 283matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

CVE-2026-56424 represents a critical authorization flaw in MISP core where access control mechanisms fail to properly validate which objects users are authorized to modify. The vulnerability stems from authorization checks being performed against incorrect entities or missing entirely on write operations, allowing authenticated users with lower privileges to mutate objects they should not be able to edit. This affects any organization deploying MISP for threat intelligence sharing and coordination, potentially compromising data integrity and enabling unauthorized modifications to threat indicators, event data, and organizational intelligence repositories.

Casky.ai's 283 matching security skills leverage Claude's extended reasoning to detect the attack patterns behind this authorization bypass. The platform maps findings to MITRE ATT&CK techniques TA0004 (Privilege Escalation) and TA0006 (Credential Access), identifying when attackers exploit these broken access controls. Practitioners using Casky would see detections flagging suspicious write operations where users modify objects outside their organization's scope, authorization mismatches between checked and mutated entities, and patterns of users accessing editable resources despite lacking explicit edit permissions. The system correlates CWE-639 (Authorization through User-Controlled Key), CWE-862 (Missing Authorization), and CWE-863 (Incorrect Authorization) patterns to surface these control bypasses in automated threat assessment findings.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

283 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-56424.

abusing-dpapi-for-credential-access

red teaming · high

Run

abusing-shadow-credentials-for-privesc

red teaming · high

Run

Access with Stolen Session Cookie

identity access management · low

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-56424

Casky has 283 skills that investigate the attack patterns behind CVE-2026-56424. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn