CVE-2026-56447, CVE-2026-56446, CVE-2026-56425, CVE-2026-56424, CVE-2026-56423, CVE-2026-56422 — MISP 2.5.42: two site-admin RCE paths plus Azure-AD auth and broken-access-control hardening
From CTI Daily Brief — 2026-06-25 · published 2026-06-25 · view item permalink →
MISP 2.5.42 (released 2026-06-22 by the CIRCL-supported project) is a security-hardening release listing six CVEs in the threat-intelligence platform that most EU national CERTs/CSIRTs run (MISP, 2026-06-22 · GitHub release v2.5.42). The release fixes two remote-code-execution paths: CVE-2026-56447 (CVSS 9.3 per the GitHub advisory) lets a site administrator point Kafka_rdkafka_config at a crafted file that abuses rdkafka's plugin.library.paths to load an attacker-supplied shared library under MISP's process privileges (GHSA-834x-pvxg-xh58); a second RCE comes from arbitrary NDJSON-log paths, now strictly controlled in 2.5.42 (T1505.003). Both require a site-admin account, so the practical risk is post-compromise persistence/lateral movement on a shared instance. The remaining fixes harden Azure-AD authentication and close broken-access-control / mass-assignment issues across MISP's controllers (CVE-2026-56446, CVE-2026-56425, CVE-2026-56424, CVE-2026-56423, CVE-2026-56422); the release notes do not publish per-CVE CVSS scores. A compromised MISP instance exposes a whole community's TLP:AMBER/RED corpus and can be used to inject false indicators — upgrade to 2.5.42, verify file ownership on APP/tmp/ and the web root, and audit the admin trail for Kafka/log-path changes.