CVE-2026-54362 MEDIUM

CVE-2026-54362: MISP template builder exposes non-visible custom galaxies across organisations

Vendor Misp
Product misp
Weakness CWE-863 · Incorrect authorization
Published June 12, 2026
Last update June 15, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

01Description

An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 15, 2026 Record updated