CVE-2026-10854

Unauthorized exposure of private galaxies in MISP event template creation

Assigner: CIRCL
Reserved: 04.06.2026 Published: 04.06.2026 Updated: 04.06.2026

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility.

The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green
CVSS Score: 5.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	misp
Product	misp
Versions	Default: unaffected affected from 0 to 2.5.38 (incl.)

Vendor

misp

Product

misp

Versions

Default: unaffected

affected from 0 to 2.5.38 (incl.)

Credits

Andras Iklody remediation developer

References

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs