Skip to main content

MISP EUVDEUVD-2026-34257

| CVE-2026-10854 MEDIUM
Information Exposure (CWE-200)
2026-06-04 CIRCL GHSA-3636-3mqq-q7x9
5.3
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green

Primary rating from Vendor (CIRCL) · only source for this CVE.

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 04, 2026 - 16:25 vuln.today
Analysis Generated
Jun 04, 2026 - 16:25 vuln.today
CVSS changed
Jun 04, 2026 - 14:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 04, 2026 - 12:51 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility.

The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

AnalysisAI

Private galaxy metadata in MISP versions up to and including 2.5.38 was exposed to authenticated non-site-admin users through the event template builder workflow due to missing organisation and distribution-based access controls. The EventTemplatesController.php __setBuilderConfig() method queried all enabled galaxies without filtering by ownership or distribution level, allowing users from one organisation to read galaxy names, types, and descriptions that belong to other organisations and are marked private. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to multi-organisation MISP instance
Delivery
Navigate to event template builder UI
Exploit
Trigger __setBuilderConfig() galaxy query
Execution
Receive unfiltered private galaxy metadata from peer organisations
Persist
Enumerate galaxy names, types, and descriptions
Impact
Infer intelligence focus areas of other organisations

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session with at minimum low-privilege access (confirmed by PR:L in the CVSS 4.0 vector) to a MISP instance hosting multiple organisations where at least one organisation has created private galaxies. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.3 (Medium) is consistent with the actual impact: network-accessible (AV:N), low complexity (AC:L), no attack timing requirements (AT:N), low privilege required (PR:L), no user interaction (UI:N), and low confidentiality impact confined to the vulnerable system (VC:L) with zero integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated analyst belonging to Organisation A in a shared MISP community instance navigates to the event template builder. Without any special tooling, the builder's galaxy selector populates with all enabled galaxies - including those owned by Organisation B with private distribution - revealing their names, types, and descriptions. …
Remediation The primary fix is available as upstream commit d3adfe1a097dd4b403364e9af34e208660eeec1a at https://github.com/MISP/MISP/commit/d3adfe1a097dd4b403364e9af34e208660eeec1a, which modifies EventTemplatesController.php to enforce organisation and distribution-based access controls in the galaxy query used by the template builder. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2026-10868 CRITICAL
9.0 Jun 04

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify o

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

Share

EUVD-2026-34257 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy