PatchSiren cyber security CVE debrief

CVE-2026-10868 misp CVE debrief

A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity. The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.

Vendor: misp
Product: Unknown
CVSS: CRITICAL 9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-04
Original CVE updated: 2026-06-04
Advisory published: 2026-06-04
Advisory updated: 2026-06-04

Who should care

Administrators and users of the MISP platform should be aware of this vulnerability and take immediate action to update their systems to prevent potential exploitation.

Technical summary

The vulnerability has a CVSS score of 9 and is classified as CRITICAL. It can be exploited by an authenticated attacker with low privileges, and the attack vector is network-based.

Defensive priority

HIGH

Recommended defensive actions

Update MISP to the latest version to ensure the User.id field is properly sanitized.
Restrict user edit functionality to authorized personnel only.
Monitor user account activity for suspicious changes.

Evidence notes

The CVE record and NVD detail pages provide further information on this vulnerability.

Official resources

CVE-2026-10868 CVE record
CVE.org
CVE-2026-10868 NVD detail
NVD
Source item URL
nvd_modified
Source reference
5a6e4751-2f3f-4070-9419-94fb35b644e8

CVE-2026-10868 was published on 2026-06-04T16:16:33.867Z and modified on 2026-06-04T16:20:27.330Z.