Mass Assignment Vulnerability in MISP User Functionality
CVE-2026-10868
9CRITICAL
What is CVE-2026-10868?
A mass assignment vulnerability is present in the MISP application, specifically within the user edit functionality. This issue arises from inadequate filtering of user-supplied fields, allowing authenticated attackers to manipulate request data. When an attacker crafts a modified edit request with a user-controlled User.id value, it could lead to unauthorized modifications in other users' accounts, compromising account integrity and potentially exposing sensitive information. The vulnerability was mitigated by removing the User.id field from incoming request data prior to processing any user edit operations.
Affected Version(s)
misp 0 <= 2.5.38
