PatchSiren cyber security CVE debrief
CVE-2026-10864 misp CVE debrief
A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. This could lead to disclosure of restricted user or organisation metadata, including user e-mail addresses depending on configuration.
- Vendor
- misp
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-08
Who should care
Authenticated low-privileged users with access to the affected dashboard widgets may be able to disclose restricted user or organisation metadata.
Technical summary
The issue was caused by applying field filtering and redaction in a way that could leave the selected field list empty. The patch ensures that the allowed field list is built safely, that restricted fields such as user e-mail addresses are removed before user-supplied field selection is processed, and that an empty field selection falls back only to the permitted default fields.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply the patch: [ref-4](https://github.com/MISP/MISP/commit/8722fda035b5b622de387ae1dd0159d71ff1e22e)
Evidence notes
CVE-2026-10864 has a CVSS score of 5.3 and is classified as MEDIUM severity.
Official resources
-
CVE-2026-10864 CVE record
CVE.org
-
CVE-2026-10864 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
5a6e4751-2f3f-4070-9419-94fb35b644e8 - Patch
CVE-2026-10864 was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-10864) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-10864).