HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-10868Published Modified CNA CIRCL

CVE-2026-10868: MISP user edit endpoint mass assignment vulnerability allows unauthorized user account modification

A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity. The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.

Metrics

CVSS v4.0
9.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A mass assignment vulnerability in MISP's user edit endpoint (UsersController::edit()) allows an unauthenticated network attacker to craft a request that targets another user's account by injecting a foreign User.id into the request payload. The flaw exists because the application failed to strip the User.id field from user-supplied input before processing edits, enabling writes to apply to an unintended account. Successful exploitation allows modification of arbitrary user account attributes, undermining account integrity across the MISP instance. No upstream fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-10868 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including CIRCL's advisory channel) within minutes of publication and matched against all customer images, including custom-built MISP images, in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 9.0 (Critical) and surfaces it with that severity weighting in each customer's findings dashboard, applying any per-environment compliance policy rules to route the alert to the appropriate team or inbox within the customer org.

Available
Patch

Because no upstream fix version for MISP has been published, HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment CIRCL or the MISP project ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the MISP instance to exploit this flaw.

  • AuthenticationNot required

    The CVSS vector specifies PR:N, meaning no account or credential is needed to reach and exploit the vulnerable endpoint.

  • Victim interactionNot required

    The CVSS vector specifies UI:N; the attacker sends a crafted request directly and does not need any action from another user to trigger the vulnerability.

  • Attack complexityDetail

    Base complexity is Low (AC:L), meaning the exploit is reliable and condition-free, though the AT:P token indicates a specific attack prerequisite (such as knowledge of a target user identifier) must be satisfied.

Blast Radius

  • An attacker can overwrite account attributes (such as email address, role, or password hash) on any targeted MISP user account without that user's knowledge.
  • Modifying account fields on privileged users (such as administrators) can escalate the attacker's effective access or lock legitimate users out of their accounts.
  • The CVSS vector records high integrity impact on both the vulnerable system (VI:H) and the subsequent system scope (SI:H), meaning changes can propagate to data or systems that depend on MISP user records, such as threat-sharing workflows and connected integrations.
  • Confidentiality impact is rated Low (VC:L), so incidental exposure of user account data during the edit operation is also possible.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for this Critical-severity mass assignment flaw, HarborGuard continuously re-checks the CIRCL advisory on every ingest cycle. The moment MISP publishes a fix, a patched-image rebuild becomes available automatically, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without any manual steps. In the interim, compensating controls available to customers include applying network-policy isolation to restrict inbound access to the MISP user-edit endpoint to trusted IP ranges only, enabling egress filtering to limit lateral movement if an account is compromised, and reviewing MISP's feature-flag or ACL configuration to require strong authentication at the application layer even where the CVSS vector records no authentication requirement at the network perimeter. HarborGuard will surface any upstream advisory update as a new finding event so affected environments can act immediately on patch availability.

See how HarborGuard automates this
Affected packages
  • misp / misp
    ≤ 2.5.38
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N
References