CVE-2026-10860 HIGH

CVE-2026-10860: MISP CRUDComponent delete validation bypass via operator precedence error

Vendor Misp
Product misp
Weakness CWE-863 · Incorrect authorization
Published June 4, 2026
Last update June 11, 2026

CVSS base score

7.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H

What the vulnerability does

01Description

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
June 11, 2026 Record updated