CVE-2026-10860

MEDIUM

MISP CRUDComponent delete validation bypass via operator precedence error

Title source: cna

Description

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.

References (1)

Core 1

Core References

Patch patch

https://github.com/MISP/MISP/commit/a5877559dc88ad7a0c935910a652c130489ae2bd

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0020

EPSS Percentile 9.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

misp/misp < 2.5.38

misp/misp < 2.5.39

Published Jun 04, 2026

Tracked Since Jun 04, 2026