CVE-2026-10860

Published: Giu 04, 2026 Last Modified: Giu 04, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,9

Source: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.

863

Incorrect Authorization

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Access Control Availability

Potential Impacts:

Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)

Applicable Platforms

Technologies: Web Server, Database Server, Not Technology-Specific

Likelihood of Exploit: High

View CWE Details

https://github.com/MISP/MISP/commit/a5877559dc88ad7a0c93591…

https://github.com/MISP/MISP/commit/a5877559dc88ad7a0c935910a652c130489ae2bd

CVE-2026-10860

Description

Incorrect Authorization

Common Consequences

Applicable Platforms

Iscriviti alla newsletter