MISP post-login open redirect via pre_login_requested_url
CVE-2026-10861

5.1MEDIUM

Key Information:

Vendor: Misp
Status: Misp
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-10861?

An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path.

An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence.

The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\example.com.

Affected Version(s)

misp 0 <= 2.5.38

References

https://github.com/MISP/MISP/commit/ae760b7bf534f2798810d...

patch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Jun 4, 2026

Credit

Andras Iklody

Jeroen Pinoy

CVE-2026-10861 Data

JSON

Misp

What is CVE-2026-10861?

Affected Version(s)

References

CVSS V4

Timeline

Credit