CVE-2026-10868 CRITICAL

CVE-2026-10868: MISP user edit endpoint mass assignment vulnerability allows unauthorized user account modification

Vendor Misp
Product misp
Weakness CWE-269
Published June 4, 2026
Last update June 4, 2026

CVSS base score

9.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N

What the vulnerability does

01Description

A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity. The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
June 4, 2026 Record updated