CVEFinder.io

CVE-2026-10855

πŸ”Ά medium
πŸ” Scan for this CVE
Summary

An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcibly overwrite an event template owned by another organization. Successful exploitation cou

Description

An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcibly overwrite an event template owned by another organization.



Successful exploitation could allow unauthorized modification of another organization’s event template, potentially altering template structure, attributes, or metadata used for subsequent event creation or sharing workflows. Site administrators are not affected by this restriction, as they are explicitly allowed to overwrite templates across organizations.



The issue was fixed by enforcing an ownership check before overwrite: non-site-admin users may only overwrite templates owned by their own organization.

CVSS Score
4.3
Medium
EPSS Score
0.2
Exploit Probability
Published Date
2026-06-04
First Seen: 2026-06-05
πŸ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 5.4% of all 329,778 vulnerabilities in our database.

#311,950
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jun 4, 2026
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Partial
Limited system impact
πŸ† Discovered By
Andras Iklody (remediation developer) Jeroen Pinoy
SSVC data provided by CISA
Last Modified 2026-06-22
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-862

πŸ“¦ Affected Products 2

Vendor Product Status Affected Versions
misp misp Affected
< 2.5.39
misp-project misp Affected
< 2.5.39

πŸ”— References 1

https://github.com/MISP/MISP/commit/7c2200d143bef86a...
Patch

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-56423 ⚠️ high 8.8 0.3 MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The a... 2026-06-22
CVE-2026-56424 ⚠️ high 8.8 0.4 MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong ent... 2026-06-22
CVE-2026-56446 ⚠️ high 7.2 0.4 MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool... 2026-06-22
CVE-2026-56447 ⚠️ high 7.2 0.3 MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path... 2026-06-22
CVE-2026-10854 πŸ”Ά medium 4.3 0.2 A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxi... 2026-06-04
CVE-2026-10856 πŸ”Ά medium 6.1 0.2 A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a loc... 2026-06-04
These CVEs affect the same products