Mass Assignment Vulnerability in MISP User Functionality
CVE-2026-10868

9CRITICAL

Key Information:

Vendor

Misp

Status
Vendor
CVE Published:
4 June 2026

What is CVE-2026-10868?

A mass assignment vulnerability is present in the MISP application, specifically within the user edit functionality. This issue arises from inadequate filtering of user-supplied fields, allowing authenticated attackers to manipulate request data. When an attacker crafts a modified edit request with a user-controlled User.id value, it could lead to unauthorized modifications in other users' accounts, compromising account integrity and potentially exposing sensitive information. The vulnerability was mitigated by removing the User.id field from incoming request data prior to processing any user edit operations.

Affected Version(s)

misp 0 <= 2.5.38

References

CVSS V4

Score:
9
Severity:
CRITICAL
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andras Iklody
Jeroen Pinoy
.