High severityNVD Advisory· Published Jun 2, 2026· Updated Jun 2, 2026

CVE-2026-10611

Description

MISP authentication bypass vulnerability allows OTP step to be skipped when LDAP mixed authentication and OTP enforcement are enabled.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MISP authentication bypass vulnerability allows OTP step to be skipped when LDAP mixed authentication and OTP enforcement are enabled.

Vulnerability

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled alongside OTP enforcement. Specifically, in deployments where LdapAuth.mixedAuth is true and Security.require_otp is true, users authenticated via a plugin like LDAP may establish an authenticated session before the normal login flow enforces the OTP challenge. This affects MISP versions prior to the fix committed on June 2nd, 2026.

Exploitation

An attacker with valid primary authentication credentials can exploit this vulnerability by authenticating through the plugin-backed login flow (e.g., LDAP). After successful plugin authentication, instead of proceeding to the OTP verification page, the attacker can directly access another application URL. This bypasses the required OTP step, allowing access to the application as the targeted user.

Impact

Successful exploitation allows an attacker to bypass the mandatory One-Time Password (OTP) verification step. This grants the attacker access to the application with the privileges and session of the authenticated user, without needing to provide a valid TOTP, HOTP, or email OTP code. The scope of the compromise is limited to the privileges of the affected user account.

Mitigation

A fix for this vulnerability was committed on June 2nd, 2026 [1]. The patch ensures that OTP requirements are checked immediately after plugin authentication and before the user session is fully established, redirecting users to the appropriate OTP challenge when required. Users should update to the patched version as soon as possible. No workarounds are mentioned in the available references.

References

fix: [security] prevent otp bypass when LdapAuth.mixedAuth=true and S… · MISP/MISP@39b3cb1

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Misp/Mispllm-fuzzy

Patches

39b3cb15aac4

fix: [security] prevent otp bypass when LdapAuth.mixedAuth=true and Security.require_otp=true

https://github.com/MISP/MISPLuciano RighettiJun 2, 2026via nvd-ref

commit

1 file changed · +54 −0

app/Controller/AppController.php+54 −0 modified

@@ -1403,6 +1403,15 @@ protected function _loadAuthenticationPlugins()
         if ($this->Auth->startup($this)) {
             $user = $this->Auth->user();
             if ($user) {
+                // A user authenticated by an authentication plugin (e.g. LDAP) gets
+                // logged in here, during beforeFilter, before UsersController::login()
+                // runs. If the user has OTP enabled we must enforce the OTP challenge at
+                // this point too, otherwise the OTP step shown at /users/otp could be
+                // bypassed by simply browsing to another URL with the already
+                // authenticated session.
+                if ($this->__pluginLoginRequiresOtp($user)) {
+                    return;
+                }
                 $this->User->updateLoginTimes($user);
                 // User found in the db, add the user info to the session
                 $this->Session->renew();
@@ -1411,6 +1420,51 @@ protected function _loadAuthenticationPlugins()
         }
     }
 
+    /**
+     * Enforce the OTP challenge for a user that was authenticated by an
+     * authentication plugin (e.g. LDAP) during beforeFilter.
+     *
+     * @param array $user The user record returned by the authentication plugin
+     * @return bool True if the user still needs to pass an OTP challenge (the
+     *     caller must not establish the session); false otherwise.
+     */
+    private function __pluginLoginRequiresOtp(array $user)
+    {
+        if (!empty($user['disabled'])) {
+            return false;
+        }
+
+        $otpAction = null;
+        // TOTP / HOTP
+        if (
+            !Configure::read('Security.otp_disabled') &&
+            !empty($user['totp']) &&
+            class_exists('\OTPHP\TOTP')
+        ) {
+            $this->Session->write('otp_user', $user);
+            $otpAction = 'otp';
+        // E-mail OTP
+        } elseif (Configure::read('Security.email_otp_enabled')) {
+            $this->Session->write('email_otp_user', $user);
+            $otpAction = 'email_otp';
+        }
+
+        if ($otpAction === null) {
+            return false;
+        }
+
+        // Avoid a redirect loop for session/header based auth plugins that
+        // re-authenticate on every request: when we are already on an OTP
+        // action just refuse to establish the session and let that action
+        // handle the challenge.
+        $currentAction = isset($this->request->params['action']) ?
+            $this->request->params['action'] : null;
+        if (!in_array($currentAction, ['otp', 'email_otp'], true)) {
+            $this->redirect(['controller' => 'users', 'action' => $otpAction]);
+        }
+        return true;
+    }
+
     protected function _legacyAPIRemap($options = array())
     {
         $ordered_url_params = array();

Vulnerability mechanics

Root cause

"The application established a user session before enforcing the One-Time Password (OTP) challenge when mixed authentication was enabled."

Attack vector

An attacker with valid primary authentication credentials can exploit this vulnerability. The attacker first authenticates through a plugin-backed login flow, such as LDAP. Immediately after successful plugin authentication, instead of proceeding to the OTP verification page, the attacker directly accesses another application URL. This bypasses the required OTP step, allowing access to the application as the targeted user without a valid OTP code [ref_id=1].

Affected code

The vulnerability resides in the `_loadAuthenticationPlugins` method within the `app/Controller/AppController.php` file. Specifically, the code that handles user authentication via plugins before the normal login flow was modified to include a check for OTP requirements [patch_id=4494242][ref_id=1].

What the fix does

The patch modifies the `_loadAuthenticationPlugins` method in `AppController.php` to introduce a new private method `__pluginLoginRequiresOtp`. This method is called after a user is authenticated by a plugin but before the session is fully established. If OTP is required for the user, the application now redirects to the appropriate OTP challenge page, preventing the session from being established without OTP verification [patch_id=4494242][ref_id=1].

Preconditions

configLDAP mixed authentication must be enabled (`LdapAuth.mixedAuth=true`).
configOTP enforcement must be enabled (`Security.require_otp=true`).
authThe attacker must possess valid primary authentication credentials for a user.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/MISP/MISP/commit/39b3cb15aac4318afdd2ab63b96c2eac12b271fenvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000