MEDIUM 4.3

CVE-2026-10864: MISP Dashboard Widget Field Filtering Bypass (Medium)

A flaw in MISP's dashboard widgets allows authenticated users with low-level access to bypass field restrictions and view sensitive information they shouldn't have access to. By manipulating which data fields the New Users and New Organisations widgets display, attackers can circumvent settings designed to hide user email addresses and other restricted organization metadata. The vulnerability stems from how the application processes field filtering—if redaction leaves the field list empty, it falls back to returning unfiltered data instead of enforcing safe defaults.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
1 configuration(s)
Published / Modified
2026-06-04 / 2026-06-22

NVD description (verbatim)

A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause the underlying query to fall back to returning unintended model fields. For the New Users widget, this could allow a non-site-admin user to obtain user e-mail addresses even when user e-mail disclosure was disabled by configuration. For the New Organisations widget, crafted field selection could similarly result in unintended organisation fields being included in the dashboard response. The issue was caused by applying field filtering and redaction in a way that could leave the selected field list empty. The patch ensures that the allowed field list is built safely, that restricted fields such as user e-mail addresses are removed before user-supplied field selection is processed, and that an empty field selection falls back only to the permitted default fields. Impact: An authenticated low-privileged user with access to the affected dashboard widgets may be able to disclose restricted user or organisation metadata, including user e-mail addresses depending on configuration.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10864 involves improper field filtering and redaction logic in MISP dashboard widgets. When a user supplies a crafted field selection that becomes empty after validation or redaction, the application fails to enforce a safe fallback, instead returning unintended model fields. The root cause is the order of operations: field filtering and redaction occur after user-supplied field selection is processed, creating a window where restricted fields (like user.email) can be accessed by non-admin users even when administratively disabled. The patch reorders this logic to build the allowed field list first, remove restricted fields before processing user input, and enforce permitted defaults for empty selections.

Business impact

Organizations running MISP for threat intelligence and incident coordination face unauthorized disclosure of user contact information and organizational metadata. This undermines access control policies and privacy controls, potentially enabling social engineering campaigns if attacker emails are leaked, or exposing organizational structure to threat actors. Low-privileged users (analysts, junior staff) can access data intended only for administrators, violating principle-of-least-privilege and complicating audit trails. For compliance-sensitive environments (healthcare, finance), unintended email disclosure may trigger notification obligations.

Affected systems

MISP (Malware Information Sharing Platform) dashboard functionality is affected. The vulnerability is present in the New Users and New Organisations widgets, requiring an authenticated user account to exploit. Non-admin users with basic dashboard access are the primary attack vector. Versions prior to the patch release are vulnerable; check the MISP project advisory for exact version cutoffs.

Exploitability

Exploitability is moderate and practical. An attacker must have valid MISP credentials (low barrier—many organizations grant broad analyst access), but requires no administrative privileges or additional interaction. The attack is entirely client-side manipulation of widget parameters and leaves no obvious audit trail if logging is not verbose. However, exploitation is limited to authenticated sessions and does not grant code execution or system-level access, earning the CVSS 3.1 score of 4.3 (Medium severity).

Remediation

Update MISP to a patched version that enforces safe field filtering logic. Verify the patch version and release notes from the MISP project advisory. After patching, test dashboard widgets to confirm email and organization field restrictions are respected. Additionally, audit dashboard access controls: restrict access to dashboards to users who genuinely need it, and review any previous dashboard logs if available to detect historical exploitation attempts.

Patch guidance

Apply the latest MISP patch addressing CVE-2026-10864 as released by the MISP project. Consult the official MISP advisory for specific patch versions and deployment instructions. Given the low technical barrier to exploit (only requires authentication), prioritize this patch over optional feature updates. Test the patch in a staging environment to verify dashboard widget behavior, particularly the New Users and New Organisations widgets, before production rollout.

Detection guidance

Monitor for suspicious dashboard widget usage patterns: repeated requests to the New Users or New Organisations widgets with unusual or rapidly changing field parameters, particularly from non-admin accounts. If verbose logging is available, examine dashboard widget API calls for field manipulation attempts. Review audit logs for unauthorized access to email fields or organization fields that should be restricted by policy. Correlate dashboard access with subsequent social engineering or reconnaissance activity targeting leaked email addresses.

Why prioritize this

While the CVSS score is moderate (4.3), the impact is material for organizations using MISP as a central threat intelligence hub. The vulnerability directly undermines access control policy and can leak contact information. However, it requires authentication, making it lower priority than unauthenticated exploits. Prioritize patching if you have restrictive data policies (e.g., user emails disabled by design) or if MISP is shared across security teams with varying privilege levels.

Risk score, explained

CVSS 3.1 score of 4.3 (Medium) reflects the requirement for authentication (PR:L), absence of integrity or availability impact (I:N/A:N), and low confidentiality loss (C:L) from a single user's perspective. However, the ease of exploitation, breadth of affected widgets, and potential for chained social engineering elevate practical risk beyond the base score. In multi-tenant or cross-team MISP deployments, the risk is higher.

Frequently asked questions

Do I need to worry about this if my MISP instance is not on the internet?

Authentication is still required, so you only face risk if your MISP users are untrusted or if account compromise is a concern. If your instance is internal-only and user accounts are well-managed, risk is lower—but the patch should still be applied as part of routine maintenance.

Can this vulnerability be exploited without a MISP user account?

No. The vulnerability requires valid authentication credentials. An attacker must already have a user account with dashboard access. This significantly raises the bar compared to unauthenticated vulnerabilities.

What if I have user email disclosure already disabled in configuration?

Disabling email disclosure in MISP configuration is the intended protection. This vulnerability circumvents that protection, allowing authenticated users to see emails anyway. Patching removes the bypass. Until patched, assume any authenticated user could access restricted fields.

Does this vulnerability allow code execution or unauthorized admin access?

No. The vulnerability is limited to information disclosure—accessing fields that should be hidden. It does not grant code execution, privilege escalation to admin, or any ability to modify data.

This analysis is based on publicly available CVE data and the official MISP advisory. Patch version numbers, vendor timelines, and deployment specifics must be verified against the official MISP project advisory before implementation. No exploit code or proof-of-concept is provided. Organizations should test patches in non-production environments before rollout. This assessment does not substitute for independent security review or vendor guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).