CVE-2026-10611 — MISP: OTP bypass when LDAP mixed-auth and OTP enforcement are both enabled
From CTI Daily Brief — 2026-06-04 · published 2026-06-04 · view item permalink →
CIRCL disclosed an authentication-bypass in MISP where, with LdapAuth.mixedAuth=true and Security.require_otp=true, the user session is established in the login beforeFilter() phase before the OTP challenge is enforced — so an attacker holding valid LDAP credentials authenticates and gets a valid session without completing TOTP/HOTP/email OTP (GitHub Security Advisory GHSA-679G-PP8V-JVG4, 2026-06-02 · BSI CERT-Bund WID-SEC-2026-1778, 2026-06-02). MISP is the dominant open-source TI-sharing platform across EU/CH national CERTs and ISACs, so the blast radius is full instance access including TLP:AMBER/RED shared data and stored API keys. Fix is commit 39b3cb15 per the GitHub advisory; interim, drop one of the two settings and review logs for LDAP auth events not followed by an OTP challenge.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-45247 | Mirasvit Full Page Cache Warmer (Magento 2) | 9.8 | ~0.5% | Yes (2026-06-03) | Yes (Imperva; CISA KEV) | v1.11.12 | Sansec |
| CVE-2026-8206 | Kirki WordPress plugin | 9.8 | ~2% | No | Yes (222+ blocked/24h) | v6.0.7 | BleepingComputer |
| CVE-2026-8181 | Burst Statistics WordPress plugin | 9.8 | n/a | No | Yes (~7,400 blocked/24h) | v3.4.2 | BleepingComputer |
| CVE-2026-20230 | Cisco Unified Communications Manager | 8.6 (SIR: Critical) | ~0.1% | No | No ITW (PoC public) | 14SU6 / 15 COP | Cisco PSIRT |
| CVE-2026-10611 | MISP | 8.2 | n/a | No | No | commit 39b3cb15 | GHSA |