Executive Summary

This vulnerability exists in MISP when LDAP mixed authentication is enabled together with mandatory OTP (One-Time Password) enforcement. In such configurations, users authenticated through an external plugin like LDAP may have their session established before the OTP verification step is enforced.

As a result, an attacker who has valid primary credentials can bypass the required OTP step by authenticating through the plugin-backed login flow and then accessing other application URLs directly, skipping the OTP challenge page. This means the attacker can access the application as the authenticated user without providing a valid OTP code.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker with valid primary authentication credentials to bypass the required OTP (One-Time Password) step in MISP when LDAP mixed authentication and OTP enforcement are enabled. By bypassing the OTP step, the attacker can gain unauthorized access to user accounts without completing the multi-factor authentication process.

Such an authentication bypass undermines the security controls intended to protect sensitive data and user identities, which can negatively impact compliance with common standards and regulations like GDPR and HIPAA. These regulations require strong authentication mechanisms to protect personal and sensitive information, and failure to enforce multi-factor authentication properly could lead to violations of these requirements.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with valid primary authentication credentials to bypass the additional security layer provided by OTP. Consequently, unauthorized access to user accounts can occur without completing the OTP verification.

This can lead to unauthorized access to sensitive information or functionality within the MISP application, potentially compromising the confidentiality and integrity of the data managed by the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability occurs when MISP is configured with LDAP mixed authentication enabled (LdapAuth.mixedAuth=true) and OTP enforcement required (Security.require_otp=true), allowing bypass of the OTP step. Detection involves verifying these configuration settings and monitoring authentication flows.

To detect exploitation attempts, you can check for user sessions established without completing the OTP challenge, especially by monitoring access patterns where users authenticate via LDAP and then access application URLs without OTP verification.

Specific commands are not provided in the available resources, but general approaches include:

• Review MISP configuration files to confirm if LdapAuth.mixedAuth and Security.require_otp are enabled.
• Analyze web server or application logs for sessions where users authenticated via LDAP access protected URLs without OTP challenge logs.
• Use network monitoring tools to detect unusual authentication flows bypassing OTP steps.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to apply the patch provided for CVE-2026-10611 which enforces OTP verification immediately after plugin-based authentication and before session establishment.

This patch modifies the authentication flow in MISP to ensure that users authenticated via LDAP or other plugins cannot bypass the OTP challenge by accessing other URLs.

If patching is not immediately possible, consider temporarily disabling LDAP mixed authentication or OTP enforcement until the fix can be applied, to prevent bypass.

• Apply the official patch from the MISP repository that adds the __pluginLoginRequiresOtp() method and updates authentication plugin loading.
• Verify that the configuration settings LdapAuth.mixedAuth=true and Security.require_otp=true are correctly enforced.
• Monitor authentication logs for suspicious activity indicating OTP bypass attempts.

Useful 0 Not Useful 0