MISP user edit endpoint mass assignment vulnerability allows unauthorized user account modification
CVE-2026-10868

9CRITICAL

Key Information:

Vendor: Misp
Status: Misp
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-10868?

A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity.

The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.

Affected Version(s)

misp 0 <= 2.5.38

References

https://github.com/MISP/MISP/commit/1be8c413b7104a889dfd3...

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

Low

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Jun 4, 2026

Credit

Andras Iklody

Jeroen Pinoy

CVE-2026-10868 Data

JSON