CVE-2026-10854: MISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
CVE-2026-10854 is a visibility control flaw in MISP's event template creation feature that allowed unauthorized users to see private galaxy data from other organizations. When creating an event template, the system listed all enabled galaxies without checking whether the user's organization owned them or whether they were marked private. This exposed sensitive metadata like galaxy type and description to users who shouldn't have access. The vulnerability requires authentication to exploit and affects only information disclosure—no data modification or denial of service is possible. MISP has patched the issue by filtering galaxy visibility based on organization ownership and distribution settings.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-22
NVD description (verbatim)
A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The event template builder in MISP failed to enforce access controls when populating available galaxies. The underlying query returned all enabled galaxies regardless of the requesting user's organizational context or the galaxies' distribution settings. Non-site-admin users could enumerate and view metadata from private galaxies belonging to other organizations, violating the intended multi-tenant isolation model. The fix implements role-based filtering: non-admin users now see only galaxies their organization owns or galaxies with public (non-private) distribution settings. Site administrators retain full visibility. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
Business impact
For MISP operators managing multi-tenant or multi-organization deployments, this vulnerability risks information leakage about threat intelligence assets. Private galaxies may contain custom threat models, organizational taxonomy, or sensitive classification schemes—exposing these to rival teams or external organizations could compromise competitive advantage or reveal defensive posture. The impact is limited to information disclosure with no integrity risk, but in threat-sharing communities or security consortia, metadata visibility can itself inform strategic decisions. Organizations with strict data compartmentalization policies should treat this as a control failure requiring prompt remediation.
Affected systems
MISP (Malware Information Sharing Platform) instances running versions before the patch are affected. The vulnerability applies to any MISP deployment where non-admin users have event template creation privileges and where private galaxies exist across multiple organizations. Site administrators are not affected by the access control bypass. Standalone MISP instances with a single organization may see reduced exposure but should still patch to maintain security posture.
Exploitability
Exploitation requires valid MISP authentication; the vulnerability cannot be triggered by anonymous users. An authenticated attacker must navigate to the event template creation workflow and examine the galaxy dropdown or API responses to enumerate private galaxies. No special privileges, social engineering, or additional tooling are needed beyond MISP access. The attack surface is limited to users with template creation rights, but in many deployments this includes analysts and automation accounts. The CVSS score of 4.3 (Medium) reflects the low attack complexity and the limited scope of information exposed, offset by the authentication requirement.
Remediation
Apply the patch released by MISP that restricts galaxy visibility queries for non-admin users to owned and public galaxies. This involves updating the event template builder's galaxy enumeration logic to filter based on organization membership and distribution settings. Site administrators should validate that their private galaxies remain hidden from cross-organization users after patching and confirm that site admins retain full visibility for auditing and management purposes. No configuration changes are typically required post-patch.
Patch guidance
Consult the official MISP security advisory and release notes published on or after 2026-06-04 (publication date) through 2026-06-22 (modification date) for the specific patched version number and deployment instructions. Most MISP installations use standard package managers or Docker containers; apply the update using your standard deployment pipeline. After patching, restart the MISP application and verify that event template workflows correctly filter galaxies for non-admin users.
Detection guidance
Review MISP audit logs for event template creation activity by non-admin users during the window before patching. Search for API calls to galaxy enumeration endpoints (typically `/api/galaxies`) made by users outside the site-admin group; compare returned galaxy lists against expected organization-owned or public galaxies to identify potential information access anomalies. Monitor event template builder access patterns for systematic enumeration behavior. In MISP 2.4.x+, enable verbose logging on the template builder to capture gallery queries and filter conditions.
Why prioritize this
Although rated CVSS Medium (4.3), this vulnerability should receive prompt attention in any multi-organizational MISP deployment because it violates core access control assumptions. Threat intelligence sharing is built on trust and data compartmentalization; information leakage—even metadata—undermines that model. If your MISP instance hosts galaxies for competing organizations, research teams, or sensitive threat communities, prioritize patching within your standard maintenance window. For single-organization deployments, it remains a security fix but is lower urgency.
Risk score, explained
The CVSS 3.1 score of 4.3 places this in Medium severity. The score reflects: (1) network attack vector (readily exploitable via web interface), (2) low complexity (no special conditions or timing required), (3) authentication required (limits casual exploitation), (4) low impact on confidentiality (metadata exposure only, not bulk data theft), and (5) no impact on integrity or availability. The score appropriately captures a bounded information disclosure risk in a multi-tenant context.
Frequently asked questions
Can an attacker modify or delete private galaxies via this vulnerability?
No. CVE-2026-10854 is purely an information disclosure issue. The access control failure only allows viewing metadata (galaxy type, description); it does not grant write or delete permissions. Integrity and availability of galaxies remain protected.
Does this affect single-organization MISP deployments?
Technically yes, but the practical risk is minimal. If your MISP instance hosts galaxies only for one organization, there are no 'other organizations' whose private data can be exposed. Nevertheless, best practice is to patch all versions to maintain defense-in-depth and prepare for future organizational growth.
Will site administrators lose visibility after the patch?
No. Site administrators retain full visibility of all enabled galaxies, including private ones. The patch only restricts non-admin users. This ensures admins can continue auditing and managing the galaxy catalog.
How can I verify the patch is working correctly?
After patching, log in as a non-admin user and navigate to event template creation. Verify that the galaxy dropdown lists only galaxies your organization owns or public galaxies, not private galaxies from other organizations. Repeat as a site administrator to confirm full visibility is retained. You can also review MISP logs for successful access control filtering.
This analysis is provided for informational purposes and reflects the vulnerability details as of the published and modified dates listed. Security teams should verify all patch version numbers and deployment guidance against official MISP security advisories and their vendor's documentation. Exploit code and detailed proof-of-concept steps are not provided. Organizations should conduct their own risk assessment based on their specific MISP deployment topology and multi-tenancy model. SEC.co does not endorse or guarantee the completeness of any third-party patches or workarounds. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-2128MEDIUMBreeze WordPress Plugin Cache Information Disclosure (v2.5.2 and earlier)
- CVE-2026-28511MEDIUMeLabFTW Information Disclosure – Title Exposure via Cross-Scope Search
- CVE-2026-36602MEDIUMMercusys AC12G Kernel Memory Disclosure via UPnP
- CVE-2026-36615MEDIUMMercusys AC12G (EU) Unauthenticated Information Disclosure via /agileconfigreset Endpoint
- CVE-2026-36618MEDIUMMercusys AC12G DNS Version Disclosure Vulnerability
- CVE-2026-42358MEDIUMApache Airflow Secret Masking Bypass for Deeply Nested JSON Variables