Skip to main content

MISP CVE-2026-10611

| EUVDEUVD-2026-33917 HIGH
Improper Authentication (CWE-287)
2026-06-02 5a6e4751-2f3f-4070-9419-94fb35b644e8 GHSA-679g-pp8v-jvg4
8.2
CVSS 4.0 · Vendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8
Share

Severity by source

Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (5a6e4751-2f3f-4070-9419-94fb35b644e8) · only source for this CVE.

CVSS VectorVendor: 5a6e4751-2f3f-4070-9419-94fb35b644e8

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 02, 2026 - 14:34 vuln.today
Analysis Generated
Jun 02, 2026 - 14:34 vuln.today

DescriptionCVE.org

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application beforeFilter phase before the normal login flow enforces the OTP challenge.

As a result, an attacker with valid primary authentication credentials could bypass the required OTP step by authenticating through the plugin-backed login flow and then directly accessing another application URL instead of completing the OTP verification page. This allows access to the application as the affected user without providing a valid TOTP, HOTP, or email OTP code.

The issue affects configurations where plugin-based authentication is enabled and OTP is expected to be mandatory. The fix ensures that OTP requirements are checked immediately after plugin authentication and before the user session is established, redirecting users to the appropriate OTP challenge when required.

AnalysisAI

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_otp=true, allowing attackers with valid LDAP (or other plugin) credentials to skip the mandatory second factor. Because the plugin-driven login establishes the session during the AppController beforeFilter phase, an attacker can authenticate, ignore the /users/otp challenge page, and browse directly to any authorized application URL as the victim. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid LDAP credentials
Delivery
Submit credentials via plugin login
Exploit
Session established in beforeFilter
Execution
Skip /users/otp redirect
Persist
Request arbitrary MISP URL
Impact
Access intelligence as victim user

Vulnerability AssessmentAI

Exploitation Exploitation requires the MISP deployment to be configured with both LdapAuth.mixedAuth=true and Security.require_otp=true (or Security.email_otp_enabled), and the attacker must already possess valid primary credentials for an LDAP-backed user account that has OTP enabled on its MISP profile. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 scores this 8.2 (High) with AV:N/AC:L/AT:P/PR:N/UI:N/VC:H, reflecting a network-reachable, low-complexity bypass against an attack requirement (AT:P - a specific non-default configuration combination of mixedAuth and require_otp). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has phished, brute-forced, or otherwise obtained an LDAP user's primary credentials submits them to a MISP instance running with mixedAuth and require_otp enabled. The plugin authenticates the session during beforeFilter; instead of completing the /users/otp challenge, the attacker simply navigates to /events/index or /attributes/search and is served the requested page as the victim, accessing threat intelligence without ever providing a TOTP, HOTP, or email OTP code.
Remediation Upstream fix available (commit 39b3cb15aac4318afdd2ab63b96c2eac12b271fe); a released patched version is not independently confirmed in the supplied data, so administrators should track the next MISP release that includes this commit or cherry-pick it from https://github.com/MISP/MISP/commit/39b3cb15aac4318afdd2ab63b96c2eac12b271fe into their deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all MISP instances where LdapAuth.mixedAuth=true and Security.require_otp=true are both enabled; immediately disable one of these settings (recommend disabling LdapAuth.mixedAuth if operationally feasible, or temporarily disabling OTP requirement). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10860 HIGH
7.9 Jun 04

Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests ev

Share

CVE-2026-10611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy