Medium severity4.3NVD Advisory· Published Jun 4, 2026· Updated Jun 5, 2026
CVE-2026-10854
CVE-2026-10854
Description
A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility.
The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
1News mentions
1- MISP: High-Severity Auth Bypass and Four Medium-Severity Flaws DisclosedVypr Intelligence · Jun 4, 2026