CVE-2026-56447
published 2026-06-22CVE-2026-56447: MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the…
PriorityP348high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.34%
26.1th percentile
MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file.
The issue is fixed by restricting the setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| misp-project | misp | < 2.5.42 | 2.5.42 |
| misp | misp | <= 2.5.41 | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MISP up to 2.5.41 INI File Kafka_rdkafka_config inclusion of functionality from untrusted control sphere
vuldb·2026-06-22·CVSS 9.3
CVE-2026-56447 [CRITICAL] MISP up to 2.5.41 INI File Kafka_rdkafka_config inclusion of functionality from untrusted control sphere
A vulnerability classified as problematic was found in MISP up to 2.5.41. This vulnerability affects unknown code of the component INI File Handler. Executing a manipulation of the argument Kafka_rdkafka_config can lead to inclusion of functionality from untrusted control sphere.
The identification of this vulnerability is CVE-2026-56447. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is advised.
GHSA
MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path.
ghsa_unreviewed·2026-06-22
CVE-2026-56447 [CRITICAL] CWE-829 MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path.
MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file.
The issue is fixed by restricting the setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-22
Published