GCVE-1-2026-0030

PUBLISHED

Published: 29 Apr 2026, 20:10

Last modified:29 Apr 2026, 20:10

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.3 CRITICAL

v4.0 (gcve)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

29 Apr 2026, 20:10

Published

Vulnerability first disclosed

Description

An improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within the same organization. Because non-site administrators were not explicitly prevented from accessing or resetting site administrator auth keys, an attacker with organization administrator privileges could potentially obtain a newly generated auth key for a higher-privileged account and use it to escalate privileges. The issue is fixed by preventing non-site administrators from viewing or resetting authentication keys associated with site administrator roles.

CVSS Metrics

v4.0•CRITICAL•Score: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

Techniques & Countermeasures

CWE-863•Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Affected Systems

misp•misp
< <2.5.37

References (1)

https://github.com/MISP/MISP/commit/cb4048873ca934855007406b87ae0d124f50224a