CVE-2026-9084 (GCVE-0-2026-9084)
Vulnerability from cvelistv5 – Published: 2026-05-20 14:22 – Updated: 2026-05-20 15:28
VLAI?
Title
MISP OIDC authentication bypass via automatic email-based account linking under insecure IdP configurations
Summary
MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.
Severity ?
CWE
- CWE-287 - Improper Authentication
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/71f5662c1b588… | patch |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:28:48.726589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:28:55.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "2.5.37",
"status": "affected",
"version": "2.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ali Ganiyev"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Luciano Righetti"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "MISP\u2019s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the \u003ccode\u003eemail\u003c/code\u003e claim when the local account had no stored \u003ccode\u003esub\u003c/code\u003e value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim\u2019s email address and authenticate as that user, leading to account takeover.\u003cbr\u003e"
}
],
"value": "MISP\u2019s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim\u2019s email address and authenticate as that user, leading to account takeover."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:22:59.019Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MISP OIDC authentication bypass via automatic email-based account linking under insecure IdP configurations",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-9084",
"datePublished": "2026-05-20T14:22:59.019Z",
"dateReserved": "2026-05-20T14:21:56.589Z",
"dateUpdated": "2026-05-20T15:28:55.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-9084\",\"sourceIdentifier\":\"5a6e4751-2f3f-4070-9419-94fb35b644e8\",\"published\":\"2026-05-20T16:16:28.107\",\"lastModified\":\"2026-05-20T17:31:45.303\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MISP\u2019s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim\u2019s email address and authenticate as that user, leading to account takeover.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"5a6e4751-2f3f-4070-9419-94fb35b644e8\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"5a6e4751-2f3f-4070-9419-94fb35b644e8\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"references\":[{\"url\":\"https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172\",\"source\":\"5a6e4751-2f3f-4070-9419-94fb35b644e8\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"5a6e4751-2f3f-4070-9419-94fb35b644e8\", \"shortName\": \"CIRCL\", \"dateUpdated\": \"2026-05-20T14:22:59.019Z\"}, \"title\": \"MISP OIDC authentication bypass via automatic email-based account linking under insecure IdP configurations\", \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287 Improper Authentication\", \"type\": \"CWE\"}]}], \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"affected\": [{\"vendor\": \"misp\", \"product\": \"misp\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.5.0\", \"lessThanOrEqual\": \"2.5.37\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"MISP\\u2019s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim\\u2019s email address and authenticate as that user, leading to account takeover.\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"MISP\\u2019s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the \u003ccode\u003eemail\u003c/code\u003e claim when the local account had no stored \u003ccode\u003esub\u003c/code\u003e value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim\\u2019s email address and authenticate as that user, leading to account takeover.\u003cbr\u003e\"}]}], \"references\": [{\"url\": \"https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172\", \"tags\": [\"patch\"]}], \"metrics\": [{\"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}], \"cvssV4_0\": {\"attackVector\": \"ADJACENT\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"Safety\": \"NOT_DEFINED\", \"Automatable\": \"NOT_DEFINED\", \"Recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"version\": \"4.0\", \"baseSeverity\": \"MEDIUM\", \"baseScore\": 6, \"vectorString\": \"CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\"}}], \"credits\": [{\"lang\": \"en\", \"value\": \"Ali Ganiyev\", \"type\": \"finder\"}, {\"lang\": \"en\", \"value\": \"Luciano Righetti\", \"type\": \"remediation developer\"}], \"source\": {\"discovery\": \"EXTERNAL\"}, \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-9084\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-20T15:28:48.726589Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-20T15:28:52.979Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-9084\", \"assignerOrgId\": \"5a6e4751-2f3f-4070-9419-94fb35b644e8\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"CIRCL\", \"dateReserved\": \"2026-05-20T14:21:56.589Z\", \"datePublished\": \"2026-05-20T14:22:59.019Z\", \"dateUpdated\": \"2026-05-20T15:28:55.640Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…