VYPR
← All advisories
High severityNVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-10860

CVE-2026-10860

Description

A logic error in MISP's delete handler allows bypassing validation via HTTP DELETE requests, enabling unauthorized record deletion.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A logic error in MISP's delete handler allows bypassing validation via HTTP DELETE requests, enabling unauthorized record deletion.

Vulnerability

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. This affects MISP versions prior to the fix committed on GitHub [1].

Exploitation

An authenticated attacker with access to an affected delete endpoint could abuse this flaw by sending an HTTP DELETE request. The vulnerability is triggered when the application's delete validation callback rejects the operation, but the malformed conditional logic allows the request to proceed regardless.

Impact

An attacker could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks. This could lead to the unauthorized removal of critical data within the MISP instance.

Mitigation

The vulnerability was fixed in MISP by correcting the conditional logic in the CRUD component's delete function. The fix involves adding parentheses to ensure the correct evaluation of the request method check [1]. Users should update to a patched version of MISP. The exact patched version and release date are not specified in the available references.

References
  1. fix: [security] logic fail in CRUD component's delete function · MISP/MISP@a587755

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Misp/Mispreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

1
a5877559dc88

fix: [security] logic fail in CRUD component's delete function

https://github.com/MISP/MISPiglocskaJun 3, 2026via nvd-ref
commit
1 file changed · +1 1
  • app/Controller/Component/CRUDComponent.php+1 1 modified
    @@ -317,7 +317,7 @@ public function delete(int $id, array $params = [])
                 throw new MethodNotAllowedException('Something went wrong, delete action failed.');
             }
         }
-        if ($validationError === null && $this->Controller->request->is('post') || $this->Controller->request->is('delete')) {
+        if ($validationError === null && ($this->Controller->request->is('post') || $this->Controller->request->is('delete'))) {
             if (!empty($params['modelFunction'])) {
                 $result = $this->Controller->$modelName->{$params['modelFunction']}($id);
             } else {

Vulnerability mechanics

Root cause

"A logic error in the delete condition allowed validation failures to be bypassed."

Attack vector

An authenticated attacker with access to an affected delete endpoint could abuse this flaw. The vulnerability exists because the delete condition was evaluated as ($validationError === null && POST) || DELETE. This meant that a DELETE request could proceed even when the delete validation callback had rejected the operation. The attacker could exploit this to delete records that should have been protected by application-level validation or authorization checks.

Affected code

The vulnerability resides in the `delete` method of the `CRUDComponent.php` file within the MISP application. Specifically, the logic error is present in the conditional statement that handles the delete operation.

What the fix does

The patch modifies the delete condition by adding parentheses to ensure correct logical evaluation. The original condition `($validationError === null && $this->Controller->request->is('post') || $this->Controller->request->is('delete'))` has been changed to `($validationError === null && ($this->Controller->request->is('post') || $this->Controller->request->is('delete')))`. This ensures that the validation error check is correctly combined with the request method check, preventing the bypass of validation and authorization checks when using the HTTP DELETE method [patch_id=4820260].

Preconditions

  • authThe attacker must be authenticated.
  • inputThe attacker must have access to an affected delete endpoint.

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.