CVE-2026-56425
CVE-2026-56425 is a high-severity vulnerability in Misp-project Misp with a CVSS 3.x base score of 8.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-384.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v4: 9.3
- EPSS exploit prediction: 0% (17th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-38228
- Weakness: CWE-384
- Affected product: Misp-project Misp
- Published:
- Last modified:
Description
The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer headers, reverse proxies, access logs, or third-party infrastructure involved in the authentication flow. If obtained by an attacker, the leaked session identifier could potentially be used for session hijacking. Additionally, the implementation did not regenerate the session identifier after successful authentication, leaving authenticated sessions susceptible to session fixation attacks where an attacker forces a victim to use a known session identifier before login and later reuses that identifier after authentication. The OAuth state value was also not implemented as a dedicated, single-use nonce. This weakened CSRF protections and increased the risk of replay attacks against the OAuth callback process. The authentication flow further failed to enforce HTTPS for the configured OAuth redirect URI. If a non-HTTPS redirect URI was used, OAuth authorization codes and access tokens could traverse the network in plaintext, exposing sensitive credentials to network attackers. Finally, OAuth error responses containing attacker-controlled GET parameters were logged verbatim. An attacker could inject control characters or crafted log content, leading to log forging, log injection, or corruption of audit records. The fix introduces: * A dedicated cryptographically random OAuth state value. * Single-use state validation and invalidation. * Constant-time state comparison using hash_equals(). * Session identifier rotation after successful authentication. * Enforcement of HTTPS-only redirect URIs. * Sanitized and length-limited logging of OAuth error parameters. AAD Authentication Plugin (OAuth 2.0 / Azure Active Directory integration)
Frequently asked questions
- What is CVE-2026-56425?
- The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier (session_id()) as the OAuth state parameter. Because session identifiers are long-lived authentication credentials, exposing them in OAuth redirect URLs could leak valid session tokens through browser history, HTTP Referer headers, reverse proxies, access logs, or third-party infrastructure involved in the authentication flow. If obtained by an attacker, the leaked session identifier could potentially be used for session hijacking. Additionally, the implementation did not regenerate the session identifier after successful authentication, leaving authenticated sessions susceptible to session fixation attacks where an attacker forces a victim to use a known session identifier before login and later reuses that identifier after authentication. The OAuth state value was also not implemented as a dedicated, single-use nonce. This weakened CSRF protections and increased the risk of replay attacks against the OAuth callback process. The authentication flow further failed to enforce HTTPS for the configured OAuth redirect URI. If a non-HTTPS redirect URI was used, OAuth authorization codes and access tokens could traverse the network in plaintext, exposing sensitive credentials to network attackers. Finally, OAuth error responses containing attacker-controlled GET parameters were logged verbatim. An attacker could inject control characters or crafted log content, leading to log forging, log injection, or corruption of audit records. The fix introduces: * A dedicated cryptographically random OAuth state value. * Single-use state validation and invalidation. * Constant-time state comparison using hash_equals(). * Session identifier rotation after successful authentication. * Enforcement of HTTPS-only redirect URIs. * Sanitized and length-limited logging of OAuth error parameters. AAD Authentication Plugin (OAuth 2.0 / Azure Active Directory integration)
- How severe is CVE-2026-56425?
- CVE-2026-56425 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-56425 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (17th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-56425?
- CVE-2026-56425 affects Misp-project Misp. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-56425?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-56425 have an EU (EUVD) identifier?
- Yes. CVE-2026-56425 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-38228.
- When was CVE-2026-56425 published?
- CVE-2026-56425 was published on 2026-06-22 and last updated on 2026-06-26.
References
Affected products (1)
- cpe:2.3:a:misp-project:misp:*:*:*:*:*:*:*:*
More vulnerabilities in Misp-project Misp
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2024-29859 — Critical (CVSS 9.8): In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file…
- CVE-2024-29858 — Critical (CVSS 9.8): In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid…
- CVE-2024-25675 — Critical (CVSS 9.8): An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation…
- CVE-2024-25674 — Critical (CVSS 9.8): An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for…
- CVE-2023-50918 — Critical (CVSS 9.8): app/Controller/AuditLogsController.php in MISP before 2.4.182 mishandles ACLs for audit logs.
All CVEs affecting Misp-project Misp →
Other CWE-384 (Session Fixation) vulnerabilities
- CVE-2024-11317 — Critical (CVSS 10.0): Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an…
- CVE-2024-38513 — Critical (CVSS 10.0): Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a…
- CVE-2021-20151 — Critical (CVSS 10.0): Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. The router's…
- CVE-2025-67446 — Critical (CVSS 9.8): Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before. The router…
- CVE-2026-25101 — Critical (CVSS 9.8): Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same…
- CVE-2026-24352 — Critical (CVSS 9.8): PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the…