CVE-2026-10854

Published: Giu 04, 2026 Last Modified: Giu 04, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,3

Source: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility.

The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

200

Exposure of Sensitive Information to an Unauthorized Actor

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality

Potential Impacts:

Read Application Data

Applicable Platforms

Technologies: Not Technology-Specific, Web Based, Mobile

Likelihood of Exploit: High

View CWE Details

https://github.com/MISP/MISP/commit/d3adfe1a097dd4b403364e9…

https://github.com/MISP/MISP/commit/d3adfe1a097dd4b403364e9af34e208660eeec1a

CVE-2026-10854

Description

Exposure of Sensitive Information to an Unauthorized Actor

Common Consequences

Applicable Platforms

Iscriviti alla newsletter