HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10611Published Modified CNA CIRCL

CVE-2026-10611: OTP bypass via plugin-based LDAP authentication in MISP when LDAP mixed authentication is enabled

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application beforeFilter phase before the normal login flow enforces the OTP challenge. As a result, an attacker with valid primary authentication credentials could bypass the required OTP step by authenticating through the plugin-backed login flow and then directly accessing another application URL instead of completing the OTP verification page. This allows access to the application as the affected user without providing a valid TOTP, HOTP, or email OTP code. The issue affects configurations where plugin-based authentication is enabled and OTP is expected to be mandatory. The fix ensures that OTP requirements are checked immediately after plugin authentication and before the user session is established, redirecting users to the appropriate OTP challenge when required.

Metrics

CVSS v4.0
8.2
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability exists in MISP, an open-source threat intelligence platform, when LDAP mixed authentication and OTP enforcement are both enabled. The flaw is reachable over the network and requires no prior authentication; an attacker with valid primary (password) credentials can skip the mandatory OTP challenge entirely by authenticating through the LDAP plugin path and then navigating directly to any application URL before the OTP gate is applied. Successful exploitation gives the attacker full access to the authenticated user's MISP session, exposing stored threat intelligence data. HarborGuard is tracking this advisory for patch availability, as no fix version has been published upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-10611 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built MISP deployments. Any image found to carry an affected MISP version (2.5.38 or earlier) is flagged immediately in the relevant pipeline stage.

Available
Triage

Triage is available with CVSS v4.0 scoring at 8.2 (HIGH), and each finding can be weighted against the per-environment compliance policy configured for that customer org. Routed alerts surface in the inbox of the team or individual responsible for the affected workload, keeping noise out of unrelated queues.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment MISP ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MISP web interface over the network; the vulnerable login flow is exposed as a standard HTTP endpoint.

  • AuthenticationNot required

    No pre-existing session or privilege is needed; the attacker only requires valid primary (username and password) credentials, which are not a privilege barrier in the CVSS model.

  • Victim interactionNot required

    The attacker completes the bypass entirely through their own requests; no user action or social engineering is needed.

  • Attack complexityDetail

    Base exploit steps are condition-free and reliable, though the CVSS AT:P token notes that a specific deployment configuration (LdapAuth.mixedAuth=true combined with Security.require_otp=true) must be present for the bypass to apply.

Blast Radius

  • Reads the authenticated user's full MISP session, including access to stored indicators of compromise, threat events, and sharing-group memberships.
  • Accesses any MISP functionality the compromised account is authorized for, such as event creation, feed configuration, or API key retrieval.
  • Exposes inter-organization sharing channels if the compromised account belongs to a user with cross-organization data access.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-10611 at this time, HarborGuard monitors the MISP advisory on every ingest cycle and surfaces a finding for any image running MISP 2.5.38 or earlier with no remediation to suppress it. While waiting for an upstream patch, compensating controls worth evaluating include network-policy isolation that restricts MISP ingress to known source IPs or internal VPN ranges only, disabling LdapAuth.mixedAuth if mixed authentication is not operationally required, and enforcing egress filtering to limit lateral movement from a compromised session. The moment MISP publishes a patched release, HarborGuard will make a rebuilt image available, and for customers with auto-remediation enabled the pipeline will open a PR against affected workloads without manual intervention.

See how HarborGuard automates this
Affected packages
  • misp / misp
    ≤ 2.5.38
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
References