ctipilot.ch

MISP OTP bypass — session established in beforeFilter before OTP when LdapAuth.mixedAuth+require_otp both on; fix commit 39b3cb15 / >=2.5.37

cve · CVE-2026-10611

Coverage timeline
1
first 2026-06-04 → last 2026-06-04
Peak priority
notable
1 notable
Sources cited
6
5 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-06-04CVE-2026-10611 — MISP: OTP bypass when LDAP mixed-auth and OTP enforcement are both enabled
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • bleepingcomputer.com2 (33%)
  • github.com1 (17%)
  • sansec.io1 (17%)
  • sec.cloudapps.cisco.com1 (17%)
  • wid.cert-bund.de1 (17%)

explore in graph

Entries about MISP OTP bypass — session established in beforeFilter before OTP when LdapAuth.mixedAuth+require_otp both on; fix commit 39b3cb15 / >=2.5.37 (1)

2026-06-04 · view entry permalink →

CVE-2026-10611 — MISP: OTP bypass when LDAP mixed-auth and OTP enforcement are both enabled

CIRCL disclosed an authentication-bypass in MISP where, with LdapAuth.mixedAuth=true and Security.require_otp=true, the user session is established in the login beforeFilter() phase before the OTP challenge is enforced — so an attacker holding valid LDAP credentials authenticates and gets a valid session without completing TOTP/HOTP/email OTP (GitHub Security Advisory GHSA-679G-PP8V-JVG4, 2026-06-02 · BSI CERT-Bund WID-SEC-2026-1778, 2026-06-02). MISP is the dominant open-source TI-sharing platform across EU/CH national CERTs and ISACs, so the blast radius is full instance access including TLP:AMBER/RED shared data and stored API keys. Fix is commit 39b3cb15 per the GitHub advisory; interim, drop one of the two settings and review logs for LDAP auth events not followed by an OTP challenge.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-45247 Mirasvit Full Page Cache Warmer (Magento 2) 9.8 ~0.5% Yes (2026-06-03) Yes (Imperva; CISA KEV) v1.11.12 Sansec
CVE-2026-8206 Kirki WordPress plugin 9.8 ~2% No Yes (222+ blocked/24h) v6.0.7 BleepingComputer
CVE-2026-8181 Burst Statistics WordPress plugin 9.8 n/a No Yes (~7,400 blocked/24h) v3.4.2 BleepingComputer
CVE-2026-20230 Cisco Unified Communications Manager 8.6 (SIR: Critical) ~0.1% No No ITW (PoC public) 14SU6 / 15 COP Cisco PSIRT
CVE-2026-10611 MISP 8.2 n/a No No commit 39b3cb15 GHSA
vulnerability04 Jun 05:00Zmulti-sourceOpen finding ↗