Open Redirect Vulnerability in MISP's User Authentication Process
CVE-2026-10861

5.1MEDIUM

Key Information:

Vendor: Misp
Status: Misp
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-10861?

An open redirect vulnerability exists in MISP's UsersController::routeafterlogin() function. This flaw allows an unauthenticated remote attacker to craft a malicious link, leading a user to a seemingly trusted MISP instance. Upon authentication, the user is redirected to an external URL controlled by the attacker, significantly increasing the likelihood of successful phishing attacks. This vulnerability highlights weaknesses in handling user-controlled input and underscores the importance of ensuring proper validation to prevent unauthorized redirects to external domains. The recent patch addresses this issue by ensuring that only local application paths are permissible as redirection targets.

Affected Version(s)

misp 0 <= 2.5.38

References

https://github.com/MISP/MISP/commit/ae760b7bf534f2798810d...

patch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Jun 4, 2026

Credit

Andras Iklody

Jeroen Pinoy

CVE-2026-10861 Data

JSON

Misp

What is CVE-2026-10861?

Affected Version(s)

References

CVSS V4

Timeline

Credit