VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-10854

CVE-2026-10854

Description

Non-site-admin users could view private galaxy metadata from other organizations due to improper visibility controls in event template creation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Non-site-admin users could view private galaxy metadata from other organizations due to improper visibility controls in event template creation.

Vulnerability

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions. This affected all versions of MISP prior to the fix.

Exploitation

An attacker who is not a site administrator could exploit this vulnerability by creating an event template. During the template creation process, the system would load all enabled galaxies without enforcing proper access controls, allowing the attacker to view private galaxy metadata from other organizations.

Impact

An attacker could gain unauthorized visibility into private galaxy metadata, such as galaxy type and description, from organizations they do not belong to. This could lead to the disclosure of sensitive information about an organization's galaxy data.

Mitigation

The issue was fixed in commit d3adfe1a097dd4b403364e9af34e208660eeec1a [1]. The fix restricts galaxy queries for non-site-admin users to galaxies owned by the user’s organization or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

References
  1. fix: [security] visibility of private galaxies preserved in event tem… · MISP/MISP@d3adfe1

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Misp/Mispreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

1
d3adfe1a097d

fix: [security] visibility of private galaxies preserved in event template creation

https://github.com/MISP/MISPiglocskaJun 3, 2026via nvd-ref
commit
1 file changed · +12 1
  • app/Controller/EventTemplatesController.php+12 1 modified
    @@ -1010,11 +1010,22 @@ private function __setBuilderConfig()
             );
         }
         $this->set('taxonomiesAvailable', $taxonomies);
+        $orgCondition = $this->_isSiteAdmin()
+            ? array()
+            : array(
+                'OR' => array(
+                    'Galaxy.org_id' => (int)$this->Auth->user('org_id'),
+                    'Galaxy.distribution' > 0,
+                ),
+            );
 
         $this->loadModel('Galaxy');
         $galaxyRows = $this->Galaxy->find('all', array(
             'recursive' => -1,
-            'conditions' => array('Galaxy.enabled' => true),
+            'conditions' => array(
+                'Galaxy.enabled' => true,
+                $orgCondition,
+            ),
             'fields' => array(
                 'Galaxy.type',
                 'Galaxy.description',

Vulnerability mechanics

Root cause

"The event template builder loaded all enabled galaxies without applying organization or distribution-based access restrictions."

Attack vector

Non-site-admin users could access private galaxies belonging to other organizations by interacting with the event template creation workflow. The event template builder loaded all enabled galaxies without proper access controls, potentially exposing sensitive galaxy metadata. This allowed unauthorized users to view information they should not have access to [ref_id=1].

Affected code

The vulnerability lies within the `__setBuilderConfig` function, specifically in how it constructs the conditions for querying galaxies. The original code fetched all enabled galaxies without considering user organization or distribution settings. The patch introduces conditional logic to filter these queries based on user role and organization affiliation [ref_id=1].

What the fix does

The patch modifies the galaxy query conditions for non-site-admin users. It now restricts the query to include only galaxies owned by the user's organization or galaxies with a non-private distribution setting. Site administrators are unaffected and retain visibility of all enabled galaxies, ensuring the intended access control is maintained [patch_id=4797173, ref_id=1].

Preconditions

  • authThe attacker must be a non-site-admin user.

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

1