GCVE-1-2026-0031 (CVE-2026-44381)

Vulnerability from gna-1 – Published: 2026-04-29 20:14 – Updated: 2026-05-06 16:00
VLAI?
Title
MISP - SQL injection via unvalidated ordering parameters in event and shadow attribute listings
Summary
A SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name. An attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact. The issue was fixed by removing direct use of the user-supplied order parameter, validating requested ordering fields against allowed model fields or the model schema, and constructing the order clause using validated field names and normalized sort directions only.
Severity ?
9.4 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H
CWE
Assigner
References
Impacted products
Vendor Product Version
misp misp Affected: 0 , < 2.5.37
Create a notification for this product.
Credits
Andras Iklody (the Insomniac MISP lead dev) Jeroen Gui
Relationships ?
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "misp",
          "vendor": "misp",
          "versions": [
            {
              "lessThan": "2.5.37",
              "status": "affected",
              "version": "0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Andras Iklody"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Jeroen Gui"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted \u003ccode\u003eorder\u003c/code\u003e or \u003ccode\u003esort\u003c/code\u003e values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name.\u003c/p\u003e\n\u003cp\u003eAn attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact.\u003c/p\u003e\n\u003cp\u003eThe issue was fixed by removing direct use of the user-supplied \u003ccode\u003eorder\u003c/code\u003e parameter, validating requested ordering fields against allowed model fields or the model schema, and constructing the order clause using validated field names and normalized sort directions only.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "A SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request parameters and incorporated them into database query ordering clauses without sufficient validation of the requested field name.\n\n\nAn attacker with access to the affected endpoints could craft a malicious ordering parameter to manipulate the generated SQL query. Depending on database permissions and query context, this could potentially allow unauthorized access to data, modification of query behavior, or other database-level impact.\n\n\nThe issue was fixed by removing direct use of the user-supplied order parameter, validating requested ordering fields against allowed model fields or the model schema, and constructing the order clause using validated field names and normalized sort directions only."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "orgId": "00000000-0000-4000-9000-000000000000"
      },
      "references": [
        {
          "tags": [
            "pat"
          ],
          "url": "https://github.com/MISP/MISP/commit/53fc6be7da1c010ca4696a37c6e27bb699377efa"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "MISP - SQL injection via unvalidated ordering parameters in event and shadow attribute listings",
      "x_gcve": [
        {
          "recordType": "advisory",
          "vulnId": "gcve-1-2026-0031"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
    "cveId": "CVE-2026-44381",
    "datePublished": "2026-04-29T20:14:00.000Z",
    "dateUpdated": "2026-05-06T16:00:13.755114Z",
    "requesterUserId": "00000000-0000-4000-9000-000000000000",
    "serial": 1,
    "state": "PUBLISHED",
    "vulnId": "GCVE-1-2026-0031",
    "vulnerabilitylookup_history": [
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-04-29T20:14:47.117221Z"
      ],
      [
        "alexandre.dulaunoy@circl.lu",
        "2026-05-06T16:00:13.755114Z"
      ]
    ]
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.