VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-10861

CVE-2026-10861

Description

MISP users can be redirected to malicious external sites after login due to an open redirect vulnerability in UsersController::routeafterlogin().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MISP users can be redirected to malicious external sites after login due to an open redirect vulnerability in UsersController::routeafterlogin().

Vulnerability

An open redirect vulnerability exists in MISP UsersController::routeafterlogin() where the pre_login_requested_url session key is used for post-login redirection without sufficient validation. This affects MISP versions prior to the commit referenced in [1].

Exploitation

An unauthenticated remote attacker can craft a malicious link targeting a MISP instance. When a victim clicks this link and subsequently logs into the trusted MISP instance, they will be redirected to an attacker-controlled external URL.

Impact

Successful exploitation can lead to increased credibility of phishing attacks, redirection to counterfeit login pages, or delivery of attacker-controlled content from an untrusted domain. This could result in credential theft or further compromise of the victim's session.

Mitigation

The vulnerability is fixed in MISP versions after commit ae760b7bf534f2798810d59a1f961b31adb3443e [1]. The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms.

References
  1. fix: [security] open redirect removed · MISP/MISP@ae760b7

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Misp/Mispreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

1
ae760b7bf534

fix: [security] open redirect removed

https://github.com/MISP/MISPiglocskaJun 3, 2026via nvd-ref
commit
1 file changed · +23 1
  • app/Controller/UsersController.php+23 1 modified
    @@ -1354,7 +1354,29 @@ private function _postlogin()
     public function routeafterlogin()
     {
         // Events list
-        $url = $this->Session->consume('pre_login_requested_url');
+        $url = $this->Session->consume('pre_login_requested_url') ?? '';
+
+        $url = rawurldecode($url);
+        $parts = parse_url($url);
+
+        if (
+            $url === '' ||
+            $parts === false ||
+            isset($parts['host']) ||
+            isset($parts['scheme']) ||
+            isset($parts['user']) ||
+            !isset($parts['path']) ||
+            $parts['path'][0] !== '/' ||
+            // reject "//x" and "/\x" - both resolve to a protocol-relative (off-site) URL
+            (isset($parts['path'][1]) && ($parts['path'][1] === '/' || $parts['path'][1] === '\\'))
+        ) {
+            $url = '';
+        } else {
+            $url = $parts['path']
+                . (isset($parts['query']) ? '?' . $parts['query'] : '')
+                . (isset($parts['fragment']) ? '#' . $parts['fragment'] : '');
+        }
+        
         if (!empty(Configure::read('MISP.forceHTTPSforPreLoginRequestedURL')) && !empty($url)) {
             if (substr($url, 0, 7) === "http://") {
                 $url = sprintf('https://%s', substr($url, 7));

Vulnerability mechanics

Root cause

"The application used a session-stored URL for post-login redirection without validating that it was a local path."

Attack vector

An unauthenticated remote attacker could craft a link that, when visited by a victim, causes the victim to be redirected to an attacker-controlled external URL after they log into a trusted MISP instance. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain [ref_id=1]. This is described by CWE-601 as accepting user-controlled input that specifies an external link and using it in a redirect [CWE-601].

Affected code

The vulnerability exists in the MISP UsersController::routeafterlogin() function. The original code retrieved the value from the 'pre_login_requested_url' session key and used it directly as the post-login redirect destination without sufficient validation [ref_id=1].

What the fix does

The patch mitigates the issue by adding validation to the URL stored in the pre_login_requested_url session key before using it for redirection [patch_id=4797170]. The validation decodes and parses the URL, rejecting URLs that contain a scheme, host, user component, a missing or non-local path, or protocol-relative forms like '//example.com' or '/\example.com'. This ensures that the redirect destination remains within the local application path, preventing redirection to external sites [ref_id=1].

Preconditions

  • authThe victim must be an authenticated user of the MISP instance.
  • inputThe attacker must craft a malicious link that sets the 'pre_login_requested_url' session key to an external URL.

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

1