VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-10868

CVE-2026-10868

Description

MISP mass assignment vulnerability allows authenticated attackers to modify unintended user accounts via crafted edit requests.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MISP mass assignment vulnerability allows authenticated attackers to modify unintended user accounts via crafted edit requests.

Vulnerability

A mass assignment vulnerability exists in the MISP user edit functionality within UsersController::edit() due to insufficient filtering of user-supplied fields. The application accepted a user-controlled User.id value from request data, allowing an authenticated attacker to modify unintended user accounts. This vulnerability affects versions prior to the fix committed on GitHub [1].

Exploitation

An authenticated attacker needs to be able to send modified HTTP requests to the application. By crafting a request containing a different User.id value, the attacker can target another user's account for modification.

Impact

Successful exploitation allows an attacker to modify attributes of an unintended user account, potentially impacting account integrity. The scope of the impact depends on the attacker's privileges and the specific fields that are editable.

Mitigation

The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation. The fix was committed on GitHub on June 4, 2026 [1].

References
  1. fix: [security] mass assignment fix · MISP/MISP@1be8c41

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Misp/Mispreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

1
1be8c413b710

fix: [security] mass assignment fix

https://github.com/MISP/MISPiglocskaJun 3, 2026via nvd-ref
commit
1 file changed · +3 0
  • app/Controller/UsersController.php+3 0 modified
    @@ -161,6 +161,9 @@ public function edit()
             if (empty($this->request->data['User'])) {
                 $this->request->data = array('User' => $this->request->data);
             }
+            if (isset($this->request->data['User']['id'])) {
+                unset($this->request->data['User']['id']);
+            }
             $abortPost = false;
             if (!empty($this->request->data['User']['email']) && !$this->_isSiteAdmin()) {
                 $organisation = $this->User->Organisation->find('first', array(

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

1

News mentions

0

No linked articles in our index yet.