CVE-2026-10863: MISP Correlations Query Ordering Vulnerability (CVSS 8.1)
A vulnerability in MISP's correlations endpoint allowed authenticated users to manipulate how search results were ordered by injecting values into the order parameter. Rather than applying a server-defined sort, the application accepted user input that could be passed unsafely to the database layer. An attacker with valid credentials could exploit this to reorder results in ways the application designers didn't intend, potentially exposing information through creative query construction or gaining visibility into data the endpoint should have restricted.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-22
NVD description (verbatim)
A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value was processed by the underlying data access layer, this could allow manipulation of database query ordering and potentially expose the application to unsafe query construction. The patch removes order from the set of request-controlled parameters and instead sets the ordering server-side to occurrence desc after processing allowed user parameters. Affected component: app/Controller/CorrelationsController.php, overCorrelations() Security impact: An authenticated attacker could influence the ordering clause used by the over-correlations query. The direct impact appears limited to query manipulation unless further evidence confirms SQL injection or unauthorized data exposure through the manipulated ordering expression.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10863 is an improper input validation flaw (CWE-20) in MISP's CorrelationsController.php overCorrelations() method. The endpoint accepted an 'order' query parameter from user-controlled request parameters without validation, allowing authenticated users to inject arbitrary ordering clauses into database queries. The patch removes user control over ordering and enforces server-side ordering as 'occurrence desc' after processing legitimate user parameters. The underlying risk stems from the endpoint's failure to validate and sanitize the order parameter before it reached the data access layer, creating conditions favorable to query manipulation.
Business impact
Organizations deploying MISP for threat intelligence correlation and analysis face exposure to unauthorized information disclosure. An authenticated insider or compromised user account could manipulate query ordering to surface correlations or metadata that should remain hidden, potentially revealing investigation scope, threat actor tracking patterns, or sensitive intelligence relationships. This is particularly damaging in multi-tenant or federated MISP environments where result ordering can expose which organizations or indicators are being correlated. The confidentiality impact is rated high because reordered queries can leak information through side-channel access to result sets.
Affected systems
MISP project's MISP application is affected. Vulnerable versions are those released before the patch that enforces server-side ordering in the overCorrelations() method. Organizations running MISP instances should consult the official MISP advisory to identify the exact patched version number and determine whether their deployed version requires updating.
Exploitability
Exploitation requires valid authentication credentials, making this an insider risk or secondary compromise scenario rather than an unauthenticated attack vector. No CISA KEV entry currently exists, indicating limited evidence of active exploitation in the wild at this time. The attack is trivial once credentials are obtained—a simple HTTP parameter manipulation—requiring no special tools or complex payloads. The barrier to exploitation is authentication; the barrier to execution is minimal.
Remediation
Apply the patch that removes user-controlled ordering from the overCorrelations() endpoint and implements fixed server-side ordering. Verify the patched version in your MISP deployment against the vendor release notes. Additionally, review MISP instance access logs for unusual query patterns from authenticated accounts, particularly those accessing the correlations endpoint with non-standard order parameters. Consider implementing network-layer rate limiting on the endpoint if internal policy permits.
Patch guidance
Consult the MISP project's official security advisory and release notes to identify the specific patched version. Update MISP to the first released version after 2026-06-04 that includes the fix to CorrelationsController.php. Test the update in a non-production environment to verify that legitimate correlation queries and over-correlation functionality operate as expected before deploying to production. The patch is server-side only and requires no client-side changes.
Detection guidance
Monitor authentication logs for access to the /correlations/overCorrelations endpoint. Log and alert on repeated requests to this endpoint from the same user account, especially if accompanied by varied or unusual order parameter values. Search proxy or application logs for GET/POST requests containing 'order=' parameters in the correlations endpoint URI. Review correlation result sets for anomalous ordering patterns or unexpected data exposure. Implement a baseline of normal ordering behavior and flag deviations.
Why prioritize this
The CVSS 3.1 score of 8.1 (HIGH) reflects a high confidentiality and integrity impact, low complexity, and low attack vector due to network-accessible authentication. Although authentication is required, the ease of exploitation, potential for sensitive intelligence exposure, and high impact on confidentiality warrant prompt patching. Organizations should prioritize this update for production MISP instances, particularly those handling sensitive threat intelligence.
Risk score, explained
The score of 8.1 results from: (AV:N) network-accessible attack surface; (AC:L) low complexity once authenticated; (PR:L) authenticated user required, limiting casual exploitation; (UI:N) no user interaction needed; (S:U) scope unchanged; (C:H) confidentiality impact rated high due to potential information disclosure through query reordering; (I:H) integrity concern from unauthorized query construction; (A:N) no availability impact. The authentication requirement prevents this from being critical, but the high-impact confidentiality and integrity outcomes justify the 8.1 severity.
Frequently asked questions
Does this vulnerability allow unauthenticated access to MISP data?
No. Exploitation requires valid authentication credentials. This is an insider-risk or secondary-compromise vulnerability, not an unauthenticated attack vector.
What is the practical impact if someone reorders correlations results?
An attacker could potentially expose hidden metadata, intelligence relationships, or scope of investigations by manipulating the order in which correlated data is returned. In federated or multi-tenant MISP deployments, reordering could reveal which organizations or indicators are being tracked together.
Has this vulnerability been actively exploited?
As of the publication date, there is no CISA KEV entry for this CVE, indicating no confirmed active exploitation in the wild. However, organizations should not delay patching based on this absence.
Do I need to restart MISP after applying the patch?
Verify the patch documentation from the MISP project. Most server-side application patches require a restart or service reload to take effect. Test in a non-production environment first.
This analysis is based on the published CVE record and vendor advisory information as of 2026-06-22. Specific patch version numbers, deployment timelines, and affected version ranges should be verified directly with the MISP project's official security advisory. SEC.co does not provide guarantee of remediation effectiveness and recommends independent testing before production deployment. Indicators of compromise and detection guidance should be tailored to your environment and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-10020HIGHChrome Android Sandbox Escape via Skia Input Validation Flaw
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)
- CVE-2026-10920HIGHChrome macOS WebShare Sandbox Escape Vulnerability (v149)