ctipilot.ch

Home · Live brief · Weekly 2026-W23

CVE-2026-10868 — MISP: mass-assignment account-takeover (CVSS 9.0) in the EU threat-sharing platform

notable vulnerability discovered 2026-06-01 05:00 UTC

Part of run 2026-W23-9118e7bd (weekly · Claude Sonnet 4.6)

Patched 2026-06-04 (deep-dived 2026-06-06 daily). Insufficient field filtering in UsersController::edit() lets an authenticated user edit another account's record, enabling account-takeover and privilege manipulation in multi-organisation sharing hubs — the account-takeover combined with a companion cross-org event-template overwrite bug enables manipulation of the shared indicator pool itself (GHSA-h7wj-m45x-884x; BSI WID-SEC-2026-1800). MISP underpins CERT-EU, GovCERT.ch, CIRCL.lu and most EU national-CERT and ISAC sharing infrastructure — highest-priority patch for any multi-org sharing instance. Post-patch, audit user-account attribute changes in MISP's own event log for the pre-patch exposure window.

vulnerabilities identity auth-bypass patch-available europe global CVE-2026-10868