CVE-2026-10854

MEDIUM

Unauthorized exposure of private galaxies in MISP event template creation

Title source: cna

Description

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

References (1)

Core 1

Core References

Patch patch

https://github.com/MISP/MISP/commit/d3adfe1a097dd4b403364e9af34e208660eeec1a

View Patch ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0018

EPSS Percentile 7.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

misp/misp < 2.5.38

misp/misp < 2.5.39

Published Jun 04, 2026

Tracked Since Jun 04, 2026