Three vulnerabilities have been disclosed in MISP, the widely deployed open-source threat intelligence sharing platform, tracked as CVE-2026-10868 (CVSS 9.8 Critical), CVE-2026-10864 (CVSS 7.5 High), and CVE-2026-10861 (CVSS 6.1 Medium). The most severe — a mass assignment vulnerability — allows authenticated users to escalate privileges by manipulating user-supplied fields in the edit functionality.
What Are the Vulnerabilities?
CVE-2026-10868 — Mass Assignment Privilege Escalation (CVSS 9.8 Critical): The user edit functionality in UsersController::edit() does not properly filter user-supplied fields during edit requests. An authenticated attacker can inject additional fields into the edit request that modify attributes they should not have access to — such as role assignments, organisation membership, or API key permissions — enabling privilege escalation to administrative access within the MISP instance.
CVE-2026-10864 — Dashboard Widget Information Disclosure (CVSS 7.5 High): A vulnerability in MISP dashboard widgets allows an authenticated user to manipulate the fields option to influence which fields are returned by the New Users and New Organisations widgets, potentially disclosing information beyond the user’s authorised access level.
CVE-2026-10861 — Post-Login Open Redirect (CVSS 6.1 Medium): UsersController::routeafterlogin() uses the value stored in the pre_login_requested_url session key as the post-login redirect destination without proper validation, enabling open redirect attacks that can be used in phishing campaigns to redirect users to malicious sites after authenticating to MISP.
Which Versions Are Affected?
- MISP: versions with the affected controller code
What Is the Fix?
Update MISP to the latest version. The fixes implement proper field filtering in the user edit controller, restrict dashboard widget field exposure, and validate post-login redirect URLs.
Recommendations
Update MISP immediately. MISP instances contain sensitive threat intelligence data, Indicators of Compromise, and organisational sharing relationships. A privilege escalation to admin access compromises the confidentiality of shared intelligence and trust relationships with other MISP instances in sharing communities.
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.
