CVE-2026-10861 misp CVE debrief

Who should care

Users of MISP (Malware Information Sharing Platform) instances, particularly those who manage or interact with sensitive information, should be aware of this vulnerability. This includes MISP administrators, users with access to sensitive data, and security teams monitoring for potential phishing attacks or unauthorized redirects.

Technical summary

The open redirect vulnerability exists because the value stored in the pre_login_requested_url session key is used as the post-login redirect destination without sufficient enforcement that it is a local application path. The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms.

Defensive priority

MEDIUM

Recommended defensive actions

• Apply the patch: Upgrade to MISP version 2.5.39 or later, which includes the fix for this vulnerability. The patch can be found at resourceLinkAnnotations with linkId 'ref-4'.
• Restrict URL redirects: Implement additional checks to ensure that redirect URLs are validated and only allow local application paths.
• Monitor for suspicious activity: Keep an eye on MISP instance logs for any suspicious redirect attempts or unauthorized access.

Evidence notes

The CVE-2026-10861 vulnerability was published on 2026-06-04 and modified on 2026-06-08. The CVSS score is 5.1, indicating a medium severity. The vulnerability is categorized under CWE-601.

Official resources