Security Advisory - Published 2026-06-22 - MISP / Threat Intelligence
MISP June 22 CVEs: check sharing scope, AAD auth, and log paths
This MISP batch affects three areas: object ownership and sharing scope, Azure AD OAuth session handling, and the NDJSON error log destination. Patch first, then preserve audit logs before changing API keys, sessions, or suspicious objects.
Affected areas
| CVE | Area | What to review | CVSS |
|---|---|---|---|
| CVE-2026-56422 | MISP | Patch MISP beyond 2.5.41 and review object ownership, sharing scope, and event changes | 9.4 |
| CVE-2026-56425 | AAD auth | Patch MISP AAD authentication hardening and review OAuth callback, session, and proxy logs | 9.3 |
| CVE-2026-56446 | JsonLogTool | Patch MISP log path validation and review NDJSON log destinations and webroot writes | 8.7 |
Owner self-check
git -C /var/www/MISP rev-parse --short HEAD 2>/dev/null
grep -Rni 'MISP version\\|2\\.5\\.|commit' /var/www/MISP/app/tmp/logs /var/www/MISP/VERSION.json 2>/dev/null
grep -Rni 'SharingGroup\\|event_id\\|org_id\\|organisation_uuid\\|proposal\\|galaxy_cluster_uuid\\|AadAuth\\|redirect_uri\\|JsonLogTool\\|ndjson' /var/www/MISP/app/tmp/logs 2>/dev/null | tail -150
find /var/www/MISP/app/tmp/logs -type f -mtime -10 -maxdepth 1 -print 2>/dev/null What to review
- MISP version, Git commit, package source, and whether every web worker is on the patched code.
- Events, objects, proposals, sharing groups, galaxies, and organisations changed by lower-privileged accounts.
- Objects that moved to another event, organisation, owner, or sharing group without a normal change ticket.
- AAD authentication settings, HTTPS redirect URI enforcement, session rotation, and OAuth callback logs.
- NDJSON error log path settings, unexpected log files, and any recent PHP-like files under web-accessible directories.
- Audit logs, API auth key activity, REST imports, and form edits around the first suspicious timestamp.
Safe fix path
- Patch MISP beyond the affected 2.5.41 line or apply the vendor commits for the deployed branch.
- Restart MISP workers and PHP services so stale code is not still serving requests.
- Preserve MISP audit logs before cleanup. Export suspect event, sharing-group, OAuth, and log-setting changes for review.
- Rotate API keys and invalidate sessions for accounts that made suspicious edits or had broad organisation-level access.
Repair help
Use Ping7 CVE Repair when MISP stores sensitive threat-intelligence data, audit logs show unexplained object moves, OAuth sessions look exposed, or log files may have been written outside approved directories.