CVE-2026-10868

Published: Giu 04, 2026 Last Modified: Giu 04, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,0

Source: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity.

The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.

269

Improper Privilege Management

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Gain Privileges Or Assume Identity

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: Medium

View CWE Details

https://github.com/MISP/MISP/commit/1be8c413b7104a889dfd30c…

https://github.com/MISP/MISP/commit/1be8c413b7104a889dfd30c5b1986e3ab17238e8

CVE-2026-10868

Description

Improper Privilege Management

Common Consequences

Applicable Platforms

Iscriviti alla newsletter