CVE-2026-10864
Description
Authenticated users can manipulate MISP dashboard widgets to disclose restricted user or organization metadata, including email addresses.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can manipulate MISP dashboard widgets to disclose restricted user or organization metadata, including email addresses.
Vulnerability
A vulnerability exists in the MISP dashboard widgets, specifically the New Users and New Organisations widgets, allowing an authenticated user to manipulate the fields option. This manipulation can lead to unintended model fields being returned by the widgets, particularly when the selected field list becomes empty after validation or redaction. The issue affects all versions of MISP prior to the patch.
Exploitation
An attacker with authenticated, non-site-admin privileges needs to access the New Users or New Organisations dashboard widgets. By crafting a specific request for the fields option, they can cause the underlying query to return unintended fields. This could involve requesting a field set that, after server-side processing, results in an empty list of allowed fields, triggering a fallback mechanism that exposes restricted data.
Impact
Successful exploitation allows an authenticated low-privileged user to disclose restricted user or organisation metadata. Depending on the configuration, this can include sensitive information such as user email addresses, even when email disclosure is otherwise disabled. For the New Organisations widget, other unintended organisation fields may also be exposed.
Mitigation
The vulnerability is fixed in MISP via a commit on June 4, 2026 [1]. The patch ensures that the allowed field list is built safely, restricted fields like user email addresses are removed before user-supplied field selection is processed, and that an empty field selection falls back only to permitted default fields. No workarounds are mentioned in the available references.
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
18722fda035b5fix: [security] dashboard data leakage
2 files changed · +15 −12
app/Lib/Dashboard/NewOrgsWidget.php+3 −2 modified@@ -165,14 +165,15 @@ public function handler($user, $options = array()) if ($timeConditions) { $params['conditions']['AND'][]['AND'] = $timeConditions; } + $fields = []; if (isset($options['fields'])) { - $fields = []; foreach ($options['fields'] as $field) { if (isset($field_options[$field])) { $fields[$field] = $field_options[$field]; } } - } else { + } + if (empty($fields)) { $fields = $field_options; } $data = $this->Organisation->find('all', [
app/Lib/Dashboard/NewUsersWidget.php+12 −10 modified@@ -152,24 +152,26 @@ public function handler($user, $options = array()) if ($timeConditions) { $params['conditions']['AND'][] = $timeConditions; } + + // redact e-mails for non site admins unless specifically allowed + if ( + empty($user['Role']['perm_site_admin']) && + !Configure::read('Security.disclose_user_emails') + ) { + unset($field_options['email']); + } + + $fields = []; if (isset($options['fields'])) { - $fields = []; foreach ($options['fields'] as $field) { if (isset($field_options[$field])) { $fields[$field] = $field_options[$field]; } } - } else { - $fields = $field_options; } - // redact e-mails for non site admins unless specifically allowed - if ( - empty($user['Role']['perm_site_admin']) && - !Configure::read('Security.disclose_user_emails') && - isset($fields['email']) - ) { - unset($fields['email']); + if (empty($fields)) { + $fields = $field_options; } $data = $this->User->find('all', [ 'recursive' => -1,
Vulnerability mechanics
Root cause
"The dashboard widgets applied field filtering and redaction in a way that could result in an empty field list, causing unintended data disclosure."
Attack vector
An authenticated user with access to the New Users or New Organisations dashboard widgets can manipulate the `fields` option. By crafting a request where the selected fields become empty after validation or redaction, the underlying query may return unintended model fields. This can allow a non-site-admin user to disclose restricted user or organisation metadata, such as email addresses, even when such disclosure is disabled by configuration [ref_id=1].
Affected code
The vulnerability resides in the `handler` function within `app/Lib/Dashboard/NewUsersWidget.php` and `app/Lib/Dashboard/NewOrgsWidget.php`. The logic for processing the `options['fields']` parameter was flawed, allowing for an empty field list to be passed to the data retrieval queries.
What the fix does
The patch modifies the `NewUsersWidget.php` and `NewOrgsWidget.php` files to ensure the allowed field list is built safely. It now removes restricted fields like user email addresses before processing user-supplied field selections. Additionally, if the processed field selection becomes empty, it correctly falls back to the permitted default fields, preventing the unintended data leakage [patch_id=4820256].
Preconditions
- authThe attacker must be an authenticated user.
- inputThe attacker must have access to the affected dashboard widgets (New Users and New Organisations).
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.