HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-10860Published Modified CNA CIRCL

CVE-2026-10860: MISP CRUDComponent delete validation bypass via operator precedence error

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.

Metrics

CVSS v4.0
7.9
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A logic error (operator precedence bug) in MISP's CRUDComponent delete handler allows authentication validation to be bypassed on delete operations. The flaw is reachable over the network with no authentication required, because the broken conditional evaluates any HTTP DELETE request as passing validation regardless of the outcome of the application's authorization callback. Successful exploitation lets an attacker permanently delete records that should be protected by MISP's application-level validation and authorization checks. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including CIRCL's advisory channel, within minutes of publication and matched against customer images running any affected MISP version (2.5.38 and below), including custom-built images that bundle MISP. Coverage extends to images in both registry scans and active CI/CD pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 7.9 (HIGH) using the published v4.0 vector and weights it against each customer environment's compliance policy to determine urgency and routing. Triage results are surfaced to the appropriate team inbox within each customer org based on configured policy rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment MISP publishes a corrected release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically as soon as an upstream fix is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the MISP instance over the network; the vulnerable delete endpoint is exposed via HTTP.

  • AuthenticationNot required

    No authentication is required; the broken conditional allows any HTTP DELETE request to bypass the validation callback entirely.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends the malformed request directly without social engineering.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and condition-free, requiring only a well-formed HTTP DELETE request to the affected endpoint.

Blast Radius

  • An attacker permanently deletes records that application-level validation was configured to protect, bypassing MISP's own authorization callbacks.
  • Deleted records in MISP may include threat-intelligence events, indicators of compromise, or sharing-group entries, causing irreversible data loss.
  • Downstream systems and organizations sharing data via MISP lose access to the deleted records, with high impact on the availability of shared cyber-threat intelligence (SA:H).
  • Because the flaw bypasses authorization checks rather than authentication, any network-accessible MISP instance is exposed regardless of user privilege level.

How HarborGuard Handles This

Available on HarborGuard: images running MISP 2.5.38 or earlier are flagged as affected on every scan cycle, and the finding is routed to the appropriate team based on each environment's compliance policy. Because no upstream fix has been published, HarborGuard re-checks the CIRCL advisory on every ingest cycle; the moment a patched MISP release is confirmed, a rebuilt image becomes available and, for customers with auto-remediation enabled, a regression run and pull request against affected workloads are initiated automatically. In the meantime, consider compensating controls: restrict access to MISP's delete endpoints via network policy or an ingress allow-list, apply egress filtering to limit lateral reach from the MISP container, and review MISP's role and permission configuration to minimize the number of accounts with access to sensitive delete endpoints.

See how HarborGuard automates this
Affected packages
  • misp / misp
    ≤ 2.5.38
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H
References