Skip to main content

MISP CVE-2026-10864

| EUVDEUVD-2026-34266 MEDIUM
Information Exposure (CWE-200)
2026-06-04 CIRCL GHSA-fpxh-9966-h5g3
5.3
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (CIRCL) · only source for this CVE.

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 04, 2026 - 16:53 vuln.today
Analysis Generated
Jun 04, 2026 - 16:53 vuln.today
CVSS changed
Jun 04, 2026 - 15:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 04, 2026 - 13:54 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause the underlying query to fall back to returning unintended model fields.

For the New Users widget, this could allow a non-site-admin user to obtain user e-mail addresses even when user e-mail disclosure was disabled by configuration. For the New Organisations widget, crafted field selection could similarly result in unintended organisation fields being included in the dashboard response.

The issue was caused by applying field filtering and redaction in a way that could leave the selected field list empty. The patch ensures that the allowed field list is built safely, that restricted fields such as user e-mail addresses are removed before user-supplied field selection is processed, and that an empty field selection falls back only to the permitted default fields.

Impact: An authenticated low-privileged user with access to the affected dashboard widgets may be able to disclose restricted user or organisation metadata, including user e-mail addresses depending on configuration.

AnalysisAI

Authenticated low-privileged users in MISP versions up to and including 2.5.38 can manipulate the fields parameter of the New Users and New Organisations dashboard widgets to bypass server-side field redaction and retrieve restricted metadata - including user email addresses even when email disclosure is explicitly disabled via Security.disclose_user_emails configuration. The root cause is an order-of-operations flaw: in the original code, the email redaction check was applied after the fallback logic that repopulated the field list, meaning a crafted empty field selection after validation could trigger a return of unredacted model fields. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to MISP as low-privileged user
Delivery
Access dashboard widget configuration
Exploit
Submit crafted field parameter that empties after validation
Execution
Trigger fallback to unredacted field_options
Impact
Extract restricted user emails or organisation metadata from response

Vulnerability AssessmentAI

Exploitation Authentication is required - the CVSS vector confirms PR:L (low-privileged authenticated user), so unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) is consistent with the actual risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated MISP user with a standard (non-site-admin) role navigates to their dashboard, opens the New Users widget configuration, and submits a crafted fields parameter consisting of a field name that is stripped during server-side validation - producing an empty validated field list. The fallback logic then returns the full $field_options set, which in unpatched versions still contains the email field, exposing other users' email addresses in the dashboard response despite Security.disclose_user_emails being disabled. …
Remediation Upstream fix is available via GitHub commit 8722fda035b5b622de387ae1dd0159d71ff1e22e (https://github.com/MISP/MISP/commit/8722fda035b5b622de387ae1dd0159d71ff1e22e); a released tagged version beyond 2.5.38 is the expected vehicle, but the exact patched release version is not independently confirmed from available source data - operators should verify the current MISP release on the official repository. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

Share

CVE-2026-10864 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy