CVE-2026-10868 — MISP: critical mass-assignment account-takeover in the EU threat-sharing platform
From CTI Daily Brief — 2026-06-06 · published 2026-06-06 · view item permalink →
BSI published WID-SEC-2026-1800 covering seven vulnerabilities in MISP, the open-source threat-intelligence sharing platform that underpins CERT-EU, GovCERT.ch, CIRCL.lu and most EU national-CERT and ISAC feeds (BSI CERT-Bund, 2026-06-04; GitHub Security Advisory, 2026-06-04). The most severe, CVE-2026-10868 (CVSS 9.0), is a mass-assignment bug in UsersController::edit(): insufficient field filtering lets an authenticated user inject another account's identifier into the edit request, so the update is applied to an unintended account (T1078 Valid Accounts / account manipulation) — an authenticated account-takeover and privilege-manipulation primitive. The other six (CVE-2026-10854/10855/10856/10860/10861/10864) cover access-control bypass on private galaxy metadata, an org-crossing event-template overwrite, and an open redirect. In a multi-organisation sharing hub the account-takeover combined with the cross-org template overwrite enables manipulation of the shared indicator pool itself. Patches shipped 2026-06-04; the CVE-2026-10868 fix explicitly strips the User.id field before edit processing. Detection concepts: review MISP access logs for UsersController::edit POSTs where the posted user id differs from the session user id, and audit user accounts for unexpected role/group attribute changes.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-20245 | Cisco Catalyst SD-WAN Manager | n/a | n/a | No | Yes | None (mitigation only) | Cisco PSIRT |
| CVE-2026-28318 | SolarWinds Serv-U (≤ 15.5.4) | 7.5 | n/a | Yes | Yes | 15.5.4 Hotfix 1 | SolarWinds |
| CVE-2026-10868 | MISP | 9.0 | n/a | No | No | Patched 2026-06-04 | GHSA |