CVE-2026-10854 MEDIUM

CVE-2026-10854: Unauthorized exposure of private galaxies in MISP event template creation

Vendor Misp
Product misp
Weakness CWE-200 · Info exposure
Published June 4, 2026
Last update June 4, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green

What the vulnerability does

01Description

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
June 4, 2026 Record updated