Skip to main content

MISP EUVDEUVD-2026-34289

| CVE-2026-10868 CRITICAL
Improper Privilege Management (CWE-269)
2026-06-04 CIRCL GHSA-h7wj-m45x-884x
9.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 04, 2026 - 18:15 vuln.today
Analysis Generated
Jun 04, 2026 - 18:15 vuln.today
CVSS changed
Jun 04, 2026 - 16:22 NVD
9.0 (CRITICAL)
CVE Published
Jun 04, 2026 - 14:39 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity.

The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.

AnalysisAI

Privilege escalation in MISP threat intelligence platform versions through 2.5.38 allows authenticated users to modify other users' account attributes by submitting a crafted User.id parameter in edit requests. The UsersController::edit() function failed to strip user-supplied identifiers before processing, enabling cross-account modifications. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain authenticated MISP account
Delivery
Identify target user ID via API or enumeration
Exploit
Submit edit request with injected User[id] parameter
Execution
ORM updates targeted account attributes
Impact
Hijack administrator privileges or community membership

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on a MISP instance running version 2.5.38 or earlier, network reachability to the /users/edit endpoint, and the ability to send a modified POST/PUT containing an attacker-controlled User[id] field in the request body. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/VC:L/VI:H/SI:H) yields a 9.0 base score driven by high integrity impact on both vulnerable and subsequent systems, with the AT:P (attack requirements present) reflecting that an attacker needs an authenticated session on the target instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any authenticated MISP account (for example a low-privileged community member) navigates to their own user edit page and intercepts the form submission, then injects a User[id] parameter pointing at an administrator's user ID. The crafted POST is accepted by UsersController::edit() and the ORM writes the attacker-supplied attribute changes (such as email, role association, or other editable fields) to the targeted administrator account, enabling account takeover or privilege escalation within the threat-sharing community.
Remediation Upstream fix available (commit 1be8c41 in the MISP/MISP repository); a released patched version tag was not independently confirmed from the provided data, but operators should upgrade to the first MISP release following 2.5.38 containing this commit, available via https://github.com/MISP/MISP/commit/1be8c413b7104a889dfd30c5b1986e3ab17238e8. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all MISP deployments and current versions; review authentication and edit request logs for suspicious User.id parameter modifications; restrict platform access to essential personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Misp

View all
CVE-2026-44381 CRITICAL POC
9.3 May 13

SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m

CVE-2026-56423 CRITICAL
9.4 Jun 22

Broken access control in MISP Core's bulk deletion handlers lets any authenticated user holding the broad perm_add or pe

CVE-2026-56422 CRITICAL
9.4 Jun 22

Insecure direct object reference flaws in MISP threat-intelligence platform allow an authenticated user with access to a

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2026-56447 CRITICAL
9.3 Jun 22

Authenticated arbitrary code execution in MISP allows a site administrator to abuse the Kafka_rdkafka_config setting to

CVE-2025-67906 CRITICAL
9.0 Dec 15

Stored cross-site scripting in MISP (Malware Information Sharing Platform) versions before 2.5.28 allows authenticated u

CVE-2026-39962 HIGH
8.8 Apr 09

LDAP injection in MISP (Malware Information Sharing Platform) versions prior to 2.5.36 enables unauthenticated attackers

CVE-2026-56446 HIGH
8.7 Jun 22

Remote code execution in MISP allows authenticated site administrators to abuse the JsonLogTool NDJSON error log configu

CVE-2026-44380 HIGH
8.6 May 13

Privilege escalation in MISP threat intelligence platform versions prior to 2.5.37 allows organization administrators to

CVE-2026-9136 HIGH
8.3 May 20

Insecure Direct Object Reference in MISP 2.5.0 through 2.5.37 allows authenticated users with shadow attribute submissio

CVE-2026-10611 HIGH
8.2 Jun 02

OTP authentication bypass in MISP affects deployments where LdapAuth.mixedAuth=true is combined with Security.require_ot

CVE-2026-10860 HIGH
7.9 Jun 04

Authorization bypass in MISP versions through 2.5.38 lets authenticated users delete records via HTTP DELETE requests ev

Share

EUVD-2026-34289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy