MEDIUM 6.1

CVE-2026-10861: MISP Open Redirect Vulnerability in Post-Login Flow

MISP, a widely-used threat intelligence sharing platform, contains an open redirect vulnerability in its post-login redirect logic. When a user logs in, the application redirects them to a URL stored in the session without properly validating that the destination is actually part of the MISP application. An attacker can craft a malicious link that tricks users into visiting their legitimate MISP instance, then redirects them to an attacker-controlled website after they authenticate. This could be weaponized for phishing by appearing to come from a trusted source or to deliver malware from a domain the victim might not otherwise visit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-601
Affected products
1 configuration(s)
Published / Modified
2026-06-04 / 2026-06-22

NVD description (verbatim)

An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence. The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\example.com.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in UsersController::routeafterlogin() where the pre_login_requested_url session parameter is used to determine post-authentication redirect destinations. The application fails to enforce that the stored URL is a local path, allowing attackers to inject external URLs. CWE-601 (URL Redirection to Untrusted Site) describes this class of weakness. The patch mitigates the issue by decoding and parsing the redirect URL, then rejecting any URL that contains a scheme, host, user component, or is missing a local path. It also blocks protocol-relative URLs (//example.com) and backslash variants (/\example.com) that could bypass initial checks.

Business impact

Organizations running MISP for threat intelligence collaboration face increased risk of credential harvesting and lateral attack vectors. If MISP users are redirected to phishing pages or malware distribution sites after logging in, attackers gain a foothold that leverages the trust users place in their threat intelligence platform. For security teams that rely on MISP to coordinate incident response, this vulnerability could compromise the integrity of their intelligence workflow and create opportunities for social engineering attacks that appear to originate from internal infrastructure.

Affected systems

The vulnerability affects MISP installations (misp-project/misp). The exact version scope is not specified in available advisories; organizations should verify affected versions against the vendor advisory. Any MISP deployment exposed to unauthenticated users is vulnerable during the login process.

Exploitability

Exploitation requires user interaction (a victim must click a crafted link), but no special privileges are required on the attacker side. The attack surface is the MISP login page, which is typically public-facing. Crafting the malicious URL is trivial, and the technique is well-understood in web security. An attacker could distribute the link via email, chat, or social media; it would appear to direct to the legitimate MISP instance until after authentication occurs. This is classified as MEDIUM severity (CVSS 6.1) because it requires user interaction and causes low confidentiality and integrity impact, but does not enable denial of service or system compromise.

Remediation

Apply the vendor patch when available. The patch enforces strict URL validation by parsing the redirect destination and rejecting any URL with an external scheme, host, user info, or protocol-relative path. Organizations should verify the patched version against the official MISP advisory. Until patching, reduce exposure by restricting MISP access to authenticated networks, using a reverse proxy to enforce origin validation on redirect parameters, or educating users to verify the URL in their browser address bar after login.

Patch guidance

Consult the official MISP advisory for the specific patched version. Apply updates through the standard MISP update mechanism. After patching, verify that redirect behavior is restricted to local application paths (e.g., /events, /attributes) and external URLs are rejected. Test by attempting to craft a login URL with a malicious redirect parameter and confirm it is rejected or redirects locally.

Detection guidance

Monitor MISP logs for suspicious pre_login_requested_url session parameters that contain external domains or schemes (http://, https://, //, etc.). Look for patterns where legitimate users are redirected immediately after login, particularly to domains outside your organization. Web application firewalls or proxies can detect and block common open redirect patterns in URL parameters. Alert on any successful login followed by a redirect to an external IP or domain.

Why prioritize this

While the CVSS score is MEDIUM (6.1), prioritization depends on organizational context. MISP instances that are internet-facing and used by external threat intelligence partners should be patched urgently, as they represent a high-value target for adversaries seeking to compromise security teams. Internal MISP deployments behind authentication can be deprioritized, but external-facing instances should be treated as HIGH priority due to the social engineering risk and the sensitivity of threat intelligence workflows.

Risk score, explained

CVSS 6.1 (MEDIUM) reflects the requirement for user interaction, the lack of direct system compromise, and limited scope impact. The vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N indicates network-accessible, low attack complexity, no privileges required, user interaction required, changed scope (the attack crosses a trust boundary to an external domain), and low impact on confidentiality and integrity. The score appropriately captures that this is a social engineering vector rather than a direct technical exploit, but the reputational and operational damage in a threat intelligence context may warrant treating it as higher priority operationally.

Frequently asked questions

Can an attacker use this vulnerability to compromise MISP itself or steal data?

No. This vulnerability does not grant the attacker access to MISP or its data. It only redirects authenticated users away from MISP to an external URL after they log in. The attacker cannot read threat intelligence, modify data, or gain MISP credentials through this vulnerability alone. However, it can be used to direct users to a credential harvesting site or malware delivery platform.

Does the vulnerability affect users who do not click on a malicious link?

No. The vulnerability requires an attacker to send a specially crafted link to a user, and the user must click it and successfully authenticate to MISP. Users who access MISP normally through bookmarks or direct entry are not affected.

What is the difference between this and a simple phishing email?

A key difference is that the malicious redirect originates from the legitimate MISP domain after login, which increases the attacker's credibility. A victim sees they have successfully logged into their real MISP instance, and the redirect appears to be part of normal application behavior, making phishing follow-up more convincing. An attacker could use this to redirect to a counterfeit MISP login page to capture credentials a second time.

Should we prioritize this patch above other MISP updates?

If your MISP instance is internet-facing or accessed by external partners, yes—prioritize it as urgent because it directly enables social engineering attacks on security professionals. If MISP is internal-only and behind strong access controls, deprioritize relative to critical security patches, but still apply it within a standard patch cycle.

This analysis is provided for informational purposes and reflects the state of CVE-2026-10861 as of the published date. Verify all affected versions, patch availability, and patch version numbers against the official MISP advisory and vendor documentation. Risk prioritization should be adapted to your organization's network architecture, MISP exposure model, and threat context. This document does not constitute professional security advice; consult your security team and vendor guidance for remediation decisions. No exploit code, proof-of-concept, or weaponized demonstration is provided or intended. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).