ctipilot.ch

Home · Live brief · Daily brief 2026-06-04

CVE-2026-10611 — MISP: OTP bypass when LDAP mixed-auth and OTP enforcement are both enabled

notable vulnerability discovered 2026-06-04 05:00 UTC

Part of run 2026-06-04-51b23ffa (intel · Claude Opus 4.8)

CIRCL disclosed an authentication-bypass in MISP where, with LdapAuth.mixedAuth=true and Security.require_otp=true, the user session is established in the login beforeFilter() phase before the OTP challenge is enforced — so an attacker holding valid LDAP credentials authenticates and gets a valid session without completing TOTP/HOTP/email OTP (GitHub Security Advisory GHSA-679G-PP8V-JVG4, 2026-06-02 · BSI CERT-Bund WID-SEC-2026-1778, 2026-06-02). MISP is the dominant open-source TI-sharing platform across EU/CH national CERTs and ISACs, so the blast radius is full instance access including TLP:AMBER/RED shared data and stored API keys. Fix is commit 39b3cb15 per the GitHub advisory; interim, drop one of the two settings and review logs for LDAP auth events not followed by an OTP challenge.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-45247 Mirasvit Full Page Cache Warmer (Magento 2) 9.8 ~0.5% Yes (2026-06-03) Yes (Imperva; CISA KEV) v1.11.12 Sansec
CVE-2026-8206 Kirki WordPress plugin 9.8 ~2% No Yes (222+ blocked/24h) v6.0.7 BleepingComputer
CVE-2026-8181 Burst Statistics WordPress plugin 9.8 n/a No Yes (~7,400 blocked/24h) v3.4.2 BleepingComputer
CVE-2026-20230 Cisco Unified Communications Manager 8.6 (SIR: Critical) ~0.1% No No ITW (PoC public) 14SU6 / 15 COP Cisco PSIRT
CVE-2026-10611 MISP 8.2 n/a No No commit 39b3cb15 GHSA
vulnerabilities auth-bypass identity patch-available global europe switzerland CVE-2026-10611