CVE-2026-10860: MISP Delete Validation Bypass – Logic Error in HTTP DELETE Handler
CVE-2026-10860 is a logic error in MISP's delete handler that allows authenticated users to bypass validation checks and delete records they shouldn't be able to. The flaw stems from a missing parenthesis in the conditional logic that evaluates HTTP DELETE requests, causing the validator to be skipped when a DELETE method is used. While an attacker must already be authenticated, they can exploit this to circumvent application-level protections and remove protected data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-863
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-22
NVD description (verbatim)
A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
A missing parenthesis in the MISP CRUD delete component creates a precedence error in the validation condition. The expression evaluates as ($validationError === null && POST) || DELETE instead of ($validationError === null && (POST || DELETE)). This means any DELETE request bypasses the validation callback entirely, regardless of rejection status. An authenticated user sending a DELETE request to a protected endpoint will proceed past the authorization layer even if the delete validation callback has explicitly rejected the operation, effectively circumventing both application-level validation and authorization checks tied to that callback.
Business impact
An authenticated insider or compromised account holder can delete business-critical records that should be protected by validation rules or role-based access controls. In MISP environments used for threat intelligence sharing, this could result in loss of collaborative threat data, disruption of incident response workflows, or corruption of shared intelligence artifacts. The integrity of your threat intelligence repository becomes questionable if records can be silently removed by those who should have limited permissions.
Affected systems
MISP (Malware Information Sharing Platform) instances are affected. The specific version range has not been disclosed in public advisories; verify the patch availability status against the MISP project's security advisories and your deployment version. If you operate or depend on a MISP instance for threat intelligence, your deployment should be evaluated for exposure.
Exploitability
Exploitation requires valid authentication credentials and network access to an affected delete endpoint. No authentication bypass is involved. The attack is straightforward once an attacker has legitimate access: they simply send a properly formed DELETE request to an endpoint that normally enforces validation, and the logic flaw allows it to succeed. This is classified as MEDIUM severity (CVSS 6.5) because it requires prior authentication, but the impact on integrity is high given the ability to delete protected records without authorization.
Remediation
Upgrade MISP to the patched version released by the MISP project. Verify the exact patched version against the official MISP security advisory to ensure you apply the correct fix. Organizations should treat this as a timely patch given the straightforward exploitation path for authenticated users and the data integrity risk.
Patch guidance
Contact the MISP project or consult their official security advisories to identify the patched version that addresses this logic error. Apply the patch during a maintenance window after validating in a non-production environment. Test delete operations post-patch to confirm that validation callbacks are now properly enforced and that deletion attempts are blocked when validation rejects them.
Detection guidance
Monitor HTTP DELETE requests to MISP endpoints for patterns that suggest exploitation: repeated DELETE attempts on the same record IDs, deletion of records that should be protected by policy, or DELETE requests originating from users or service accounts with lower privilege levels than would normally have delete permissions. Log and alert on any validation callback failures followed by successful DELETE operations, as this sequence may indicate exploitation. Review audit logs for unexpected record deletions, particularly of high-value threat intelligence or sensitive collaborative data.
Why prioritize this
Although CVSS 6.5 indicates MEDIUM severity, the vulnerability warrants prompt attention because it directly undermines data integrity controls and allows authenticated users to bypass protective validation. In a threat intelligence sharing environment like MISP, data integrity is critical; loss of records or unauthorized deletion can degrade operational effectiveness. Prioritize patching for externally accessible MISP instances or those with untrusted user populations. Internal-only instances with well-controlled user access have lower risk but should still be patched in the next maintenance cycle.
Risk score, explained
CVSS 6.5 reflects a MEDIUM severity rating: the attack vector is network-based (AV:N) and requires low complexity (AC:L), but mandates prior authentication (PR:L). The scope is unchanged (S:U) and there is no confidentiality impact (C:N), but integrity impact is high (I:H) due to the ability to delete protected records. The high integrity impact is offset by the authentication requirement, resulting in a MEDIUM overall score that balances the serious integrity implications against the attacker's need for valid credentials.
Frequently asked questions
What if we're running MISP in an air-gapped environment with trusted administrators only?
Risk is significantly lower in that context, but you should still apply the patch when convenient. The logic error is real and could be exploited by a malicious insider. If your MISP instance is only accessible to a small, vetted team, you have time to schedule a standard maintenance window for the update.
Can we detect if this vulnerability has been exploited in our MISP logs?
Yes, examine delete audit logs for validation callback rejections that were followed by successful deletion of the same record. Review logs for DELETE requests to protected endpoints from low-privileged accounts, and correlate those with timestamps of unexpected data loss. Consider implementing alerting on failed validation events paired with deletion success.
Does this vulnerability allow an unauthenticated attacker to delete records?
No. An attacker must possess valid authentication credentials to exploit this flaw. The vulnerability bypasses validation logic for authenticated users only. Ensure strong access controls and credential hygiene on MISP user accounts to limit exposure.
Are there workarounds if we cannot patch immediately?
Until patching is possible, restrict DELETE method permissions at the network or reverse-proxy layer for MISP delete endpoints to only trusted administrative accounts, or disable the HTTP DELETE method entirely if your workflow permits. However, these are temporary measures—patching should be scheduled promptly to resolve the root logic error.
This analysis is based on the CVE-2026-10860 official description and CVSS metrics. Specific patch versions, MISP release notes, and detailed mitigation steps should be verified against the MISP project's official security advisories and vendor documentation. The vulnerability is not listed on the CISA KEV catalog. Organizations should conduct their own risk assessment based on their MISP deployment architecture, user base, and data criticality. No exploit code or weaponized proof-of-concept is provided or endorsed herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-32906MEDIUMOpenClaw Privilege Escalation in Slack Plugin Approvals
- CVE-2026-34507MEDIUMOpenClaw QQBot Admin Command Policy Bypass (CVSS 5.4)
- CVE-2026-35673MEDIUMOpenClaw SSRF Policy Bypass in Debug and Export Routes
- CVE-2026-40914MEDIUMApache Artemis STOMP Protocol Authorization Bypass
- CVE-2026-42547MEDIUMIRIS Authorization Bypass Allows False Alert Creation and Customer Data Exfiltration