PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10860 misp CVE debrief

CVE-2026-10860 is a HIGH severity vulnerability with a CVSS score of 7.9. The vulnerability exists in the MISP CRUD component delete handler, where a logic error allowed validation failures to be bypassed when requests used the HTTP DELETE method. This was due to missing parentheses in the delete condition, causing the expression to be evaluated incorrectly. An authenticated attacker with access to an affected delete endpoint could exploit this flaw to delete records that should have been protected by application-level validation or authorization checks.

Vendor
misp
Product
Unknown
CVSS
HIGH 7.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-08
Advisory published
2026-06-04
Advisory updated
2026-06-08

Who should care

Users of MISP (Malware Information Sharing Platform) should be aware of this vulnerability, especially those with administrative access to delete endpoints.

Technical summary

The vulnerability arises from a logic error in the MISP CRUD (Create, Read, Update, Delete) component's delete handler. Specifically, the delete condition lacked parentheses, leading to an incorrect evaluation of the expression: ($validationError === null && POST) || DELETE. This allowed DELETE requests to proceed even when the delete validation callback had rejected the operation.

Defensive priority

HIGH

Recommended defensive actions

  • Apply the patch: Refer to resourceLinkAnnotations with linkId 'ref-4' for the specific commit that addresses this issue.

Evidence notes

The CVE record and NVD detail pages provide official information about this vulnerability. The patch is available on the MISP GitHub repository.

Official resources

CVE-2026-10860 was published on 2026-06-04T15:16:49.433Z and modified on 2026-06-08T13:54:42.657Z.