MISP: High-Severity Auth Bypass and Four Medium-Severity Flaws Disclosed
Key findings • High-severity authentication bypass (CVE-2026-10611) affects MISP with LDAP mixed auth and OTP. • Four medium-severity flaws include open redirect, URL validation, authorizatio…
Key findings
- High-severity authentication bypass (CVE-2026-10611) affects MISP with LDAP mixed auth and OTP.
- Four medium-severity flaws include open redirect, URL validation, authorization, and visibility issues.
- CVE-2026-10861 allows open redirects due to insufficient validation of post-login URLs.
- CVE-2026-10855 permits unauthorized overwriting of event templates.
- CVE-2026-10854 exposes private galaxies to unauthorized users.
Threat intelligence platform MISP has seen five vulnerabilities disclosed in close succession, spanning June 2nd to June 4th, 2026. The batch includes a critical authentication bypass flaw and four medium-severity issues related to authorization, redirect handling, and data visibility.
The most severe of these, CVE-2026-10611, is an authentication bypass vulnerability that affects MISP deployments using LDAP mixed authentication with One-Time Password (OTP) enforcement. When configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated via plugins like LDAP could bypass session requirements, potentially allowing unauthorized access.
Four other medium-severity vulnerabilities were disclosed on June 4th, 2026. CVE-2026-10861 addresses an open redirect vulnerability in the UsersController::routeafterlogin() function. This flaw occurred because the session key storing the post-login redirect URL was not sufficiently validated, allowing attackers to craft malicious links that could redirect users to external sites.
Similarly, CVE-2026-10856 highlights a URL validation flaw within the MISP dashboard button widget. A crafted relative-looking URL could be interpreted by browsers as an external link, despite appearing local. While explicit schemes or host components were rejected, paths starting with a slash were not adequately secured against this misinterpretation.
An authorization flaw in the event template importer, detailed in CVE-2026-10855, allowed users to overwrite existing event templates without proper ownership verification. The system checked for matching templates but failed to ensure the importing user belonged to the organization that owned the template, potentially leading to unauthorized modifications.
Lastly, CVE-2026-10854 points to a visibility control issue in the event template creation workflow. Non-site-admin users could access private galaxies belonging to other organizations because the event template builder did not enforce organization or distribution-based access restrictions, exposing sensitive galaxy data.
Details on specific affected versions and patch availability for these vulnerabilities are expected to be detailed in MISP's official security advisories. Users are strongly encouraged to review these advisories and apply any available updates promptly to mitigate the risks associated with these disclosed flaws. The clustering of these vulnerabilities underscores the importance of regular security audits and timely patching for critical infrastructure like MISP.