VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-10863

CVE-2026-10863

Description

Authenticated users could manipulate database query ordering in MISP's over-correlation endpoint, potentially leading to unsafe query construction.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users could manipulate database query ordering in MISP's over-correlation endpoint, potentially leading to unsafe query construction.

Vulnerability

A security issue existed in the overCorrelations() function within app/Controller/CorrelationsController.php where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values, potentially leading to manipulation of database query ordering [1].

Exploitation

An authenticated attacker could send a request to the over-correlation endpoint and provide a crafted value for the order parameter via named request parameters. This would allow them to influence the ordering clause used by the underlying database query [1].

Impact

The direct impact is the manipulation of database query ordering. Depending on how the value was processed by the data access layer, this could potentially expose the application to unsafe query construction. Further evidence would be required to confirm SQL injection or unauthorized data exposure through the manipulated ordering expression [1].

Mitigation

The vulnerability was fixed by removing order from the set of request-controlled parameters and setting the ordering server-side to occurrence desc after processing allowed user parameters. The patch was applied in commit aa094a335ba2855f8a42a1dc44398f43560fe247 [1].

References
  1. fix: [security] order field · MISP/MISP@aa094a3

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Misp/Mispreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

1
aa094a335ba2

fix: [security] order field

https://github.com/MISP/MISPiglocskaJun 3, 2026via nvd-ref
commit
1 file changed · +2 2
  • app/Controller/CorrelationsController.php+2 2 modified
    @@ -80,14 +80,14 @@ public function overCorrelations()
     {
         $query = [
             'limit' => 50,
-            'page' => 1,
-            'order' => 'occurrence desc'
+            'page' => 1
         ];
         foreach ($query as $customParam => $foo) {
             if (isset($this->request->params['named'][$customParam])) {
                 $query[$customParam] = $this->request->params['named'][$customParam];
             }
         }
+        $query['order'] = 'occurrence desc';
         if (isset($this->request->params['named']['scope'])) {
             $limit = $this->Correlation->OverCorrelatingValue->getLimit();
             if ($this->request->params['named']['scope'] === 'over_correlating') {

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

1

News mentions

0

No linked articles in our index yet.