CVE-2026-10856: MISP Dashboard URL Validation Bypass – Phishing Risk
MISP dashboard widgets contain a URL validation flaw that allows attackers to craft malicious buttons appearing to link within the application while actually redirecting users to external sites. The vulnerability stems from incomplete validation that accepts paths like '/\example.com', which browsers may normalize into scheme-relative URLs pointing to attacker-controlled domains. An attacker with dashboard configuration access can embed these crafted buttons to redirect legitimate users, creating phishing and credential-theft opportunities.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-601
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-22
NVD description (verbatim)
A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. In addition, the generated href concatenated the reconstructed URL with the original URL, increasing the possibility of unsafe or malformed link generation. An attacker able to configure or influence a dashboard button URL could craft a button that appears to point inside the application but redirects users to an attacker-controlled site when clicked. This could be used for phishing, credential theft, or social engineering. The patch fixes the issue by rejecting empty paths and paths starting with /\, and by emitting only the reconstructed validated URL in the anchor href.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10856 is a URL validation bypass in MISP's dashboard button widget functionality. The validation logic rejects URLs containing explicit schemes, hosts, or user components, but fails to properly handle paths beginning with forward slash followed by backslash (e.g., /\example.com). Browser URL normalization converts backslashes to forward slashes in certain contexts, transforming these paths into scheme-relative external navigation targets (//example.com). Additionally, the vulnerable code concatenates the reconstructed URL with the original input when generating the anchor href attribute, compounding the risk of malformed or unsafe link generation. The patch addresses this by rejecting empty paths and paths starting with /\, and by using only the validated reconstructed URL in the href attribute.
Business impact
Dashboard button manipulation could be weaponized for credential harvesting and phishing attacks against MISP users. Since MISP is typically deployed in threat intelligence operations centers as a central intelligence platform, compromised dashboard buttons could target security analysts and incident responders—users likely to handle sensitive credentials. The attack requires no user agent exploitation; it relies on social engineering and trust in the application interface. Organizations using MISP for collaborative threat sharing may face secondary risk if attackers use compromised instances to distribute malicious buttons across federated networks.
Affected systems
This vulnerability affects MISP (Malware Information Sharing Platform) instances where users have the ability to configure or create dashboard buttons. The vulnerability is in the misp-project/misp product line. Organizations running MISP deployments should audit dashboard button configurations, particularly those created by users with administrative or dashboard editing privileges. The issue does not require MISP to be exposed to the internet; it can be exploited by any user with dashboard modification access, including internal users or compromised accounts.
Exploitability
Exploitation requires either direct dashboard configuration access or the ability to influence button URL settings through a stored XSS, account compromise, or API manipulation. The attack itself is trivial once a crafted URL is injected—users need only click the button. No special browser configuration or user interaction beyond normal clicking is required. The barrier to initial exploitation is access to dashboard configuration; the barrier to successful attack is social engineering users into clicking a button that appears legitimate because it is housed within the trusted application interface.
Remediation
Apply the patch that fixes URL validation by rejecting empty paths and paths beginning with /\, and by ensuring only the validated reconstructed URL is used in the href attribute. Organizations should also audit existing dashboard buttons for suspicious URLs, particularly those created recently or by privileged users. Restrict dashboard button creation permissions to trusted administrators where possible, and consider implementing approval workflows for button additions in multi-user deployments.
Patch guidance
Upgrade MISP to a version that includes the fix for CVE-2026-10856. Consult the MISP project advisory and release notes to identify the patched version number. After patching, review and re-validate all existing dashboard buttons, especially those pointing to internal paths or created by administrative users. Test button functionality in multiple browsers to confirm the fix does not break legitimate internal navigation.
Detection guidance
Monitor MISP dashboard configuration changes for URLs containing backslash characters, paths starting with forward slash-backslash sequences, or unusual URL patterns deviating from normal internal link conventions. Review audit logs for modifications to dashboard buttons and cross-reference timestamps with user activity. In network-based detection, look for MISP users navigating to unexpected external domains immediately after clicking dashboard buttons. Behavioral indicators include users being redirected from MISP to phishing domains or credential-harvesting sites referenced in browser history.
Why prioritize this
Although CVSS 6.1 rates this as MEDIUM severity, the attack surface is broad—any user with dashboard access is a potential attacker, and any MISP user is a potential target. The social engineering component is high-impact because users expect links in the application interface to be safe. Prioritize patching if your MISP instance allows untrusted or semi-trusted users to create dashboard buttons, or if it is part of a federated threat intelligence network where compromised instances could propagate malicious buttons. Organizations with strict dashboard administration controls can deprioritize slightly but should still patch within normal maintenance windows.
Risk score, explained
CVSS 6.1 (MEDIUM) reflects the requirement for user interaction (button click) and the need for prior access to dashboard configuration. The network-accessible attack vector and scope change (affecting users beyond the compromised component) elevate the score. Integrity and confidentiality impacts are both low because the attack enables phishing and redirection rather than direct data exfiltration or modification. The absence of CVSS availability impact and the conditional nature of exploitation (requires user click and social engineering) prevent a higher rating, though real-world impact can exceed the numeric score if targeting high-value users.
Frequently asked questions
Can this vulnerability be exploited without direct access to MISP configuration?
No, the vulnerability requires the ability to create or modify dashboard buttons, which typically requires administrative or dashboard editor privileges. However, if MISP has an unauthenticated or low-privilege stored XSS flaw, or if an attacker compromises a user account with button creation rights, the vulnerability becomes exploitable.
Will users see a warning before being redirected to the external site?
No. The crafted button appears as a legitimate dashboard element housed within the MISP application interface. Browsers may show the external URL in the status bar when hovering over the link, but most users do not check this. The attack succeeds because users trust buttons within the application and do not expect external redirection.
Does this vulnerability allow code execution or data theft from MISP?
No. This is a client-side URL validation flaw that enables redirection to external sites. It does not directly expose MISP data, execute code on the server, or compromise credentials stored in MISP. Its danger lies in using the application as a trust-building vector for phishing campaigns targeting MISP users.
How can we temporarily reduce risk before patching?
Restrict dashboard button creation to fully trusted administrators, conduct a full audit of existing buttons and remove any with suspicious or unusual URL patterns, and communicate to users that they should verify dashboard links before clicking them. Implement role-based access controls limiting who can modify dashboard configurations. These are interim measures and do not replace patching.
This analysis is provided for informational and defensive security purposes only. The information is accurate as of the publication date but may require verification against official vendor advisories. Organizations should validate patch availability and compatibility in their specific MISP deployment environments before applying updates. No exploit code or proof-of-concept is provided. Security teams should assess their own environment's risk posture and apply patches according to their change management policies. SEC.co does not guarantee completeness of this analysis and recommends cross-referencing official MISP project documentation for the most current information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10861MEDIUMMISP Open Redirect Vulnerability in Post-Login Flow
- CVE-2026-40181MEDIUMReact Router Open Redirect Vulnerability (v6 & v7)
- CVE-2026-41569MEDIUMauthentik WS-Federation URL Validation Bypass Leading to Credential Theft
- CVE-2026-40961HIGHApache Airflow Open Redirect Vulnerability (CVSS 7.2)
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10855MEDIUMMISP Event Template Authorization Flaw – Patch Guidance
- CVE-2026-10860MEDIUMMISP Delete Validation Bypass – Logic Error in HTTP DELETE Handler
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)