CVE-2026-10854

UNKNOWN 0.0

Unauthorized exposure of private galaxies in MISP event template creation

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

CWE	CWE-200
Vendor	misp
Product	misp
Published	Jun 4, 2026
Last Updated	Jun 4, 2026

Stay Ahead of the Next One

Get instant alerts for misp misp

Be the first to know when new unknown vulnerabilities affecting misp misp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

misp / misp

0 ≤ 2.5.38

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/MISP/MISP/commit/d3adfe1a097dd4b403364e9af34e208660eeec1a

Credits

Andras Iklody