CVE-2026-9084

MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
CIRCLCNA
6 MEDIUM
ADJACENT
HIGH
NONE
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
misp-projectmisp
2.5.0 ≤
𝑥
≤ 2.5.37
CNA
Common Weakness Enumeration
References
https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172