PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10854 misp CVE debrief

A visibility control issue was discovered in the event template creation workflow of MISP, allowing non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility.

Vendor
misp
Product
Unknown
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-05
Advisory published
2026-06-04
Advisory updated
2026-06-05

Who should care

Site administrators and users of MISP, particularly those with non-site-admin roles, should be aware of this issue and take necessary actions to restrict access to private galaxies.

Technical summary

The issue was caused by the event template builder loading all enabled galaxies without applying organisation or distribution-based access restrictions. This allowed non-site-admin users to access private galaxies belonging to other organisations.

Defensive priority

MEDIUM

Recommended defensive actions

  • Restrict galaxy queries for non-site-admin users to galaxies owned by the user's organisation or galaxies with a non-private distribution setting.
  • Site administrators should review and update access controls to ensure that private galaxies are only accessible to authorised users.

Evidence notes

The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user's organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

Official resources

CVE-2026-10854 was published on 2026-06-04T14:16:37.630Z and modified on 2026-06-05T19:51:39.410Z.