CVE-2026-10868

CRITICAL

MISP user edit endpoint mass assignment vulnerability allows unauthorized user account modification

Title source: cna

Description

A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity. The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.

References (1)

Core 1

Core References

https://github.com/MISP/MISP/commit/1be8c413b7104a889dfd30c5b1986e3ab17238e8

View Patch ZIP pw:eip

Scores

CVSS v4 9.0

EPSS 0.0024

EPSS Percentile 14.8%

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-269

Status published

Products (1)

misp/misp < 2.5.38

Published Jun 04, 2026

Tracked Since Jun 04, 2026