CVE-2026-10611
Authentication Bypass in MISP via LDAP Mixed Auth
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| misp | misp | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in MISP when LDAP mixed authentication is enabled together with mandatory OTP (One-Time Password) enforcement. In such configurations, users authenticated through an external plugin like LDAP may have their session established before the OTP verification step is enforced.
As a result, an attacker who has valid primary credentials can bypass the required OTP step by authenticating through the plugin-backed login flow and then accessing other application URLs directly, skipping the OTP challenge page. This means the attacker can access the application as the authenticated user without providing a valid OTP code.
How can this vulnerability impact me? :
This vulnerability allows an attacker with valid primary authentication credentials to bypass the additional security layer provided by OTP. Consequently, unauthorized access to user accounts can occur without completing the OTP verification.
This can lead to unauthorized access to sensitive information or functionality within the MISP application, potentially compromising the confidentiality and integrity of the data managed by the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when MISP is configured with LDAP mixed authentication enabled (LdapAuth.mixedAuth=true) and OTP enforcement required (Security.require_otp=true), allowing bypass of the OTP step. Detection involves verifying these configuration settings and monitoring authentication flows.
To detect exploitation attempts, you can check for user sessions established without completing the OTP challenge, especially by monitoring access patterns where users authenticate via LDAP and then access application URLs without OTP verification.
Specific commands are not provided in the available resources, but general approaches include:
- Review MISP configuration files to confirm if LdapAuth.mixedAuth and Security.require_otp are enabled.
- Analyze web server or application logs for sessions where users authenticated via LDAP access protected URLs without OTP challenge logs.
- Use network monitoring tools to detect unusual authentication flows bypassing OTP steps.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to apply the patch provided for CVE-2026-10611 which enforces OTP verification immediately after plugin-based authentication and before session establishment.
This patch modifies the authentication flow in MISP to ensure that users authenticated via LDAP or other plugins cannot bypass the OTP challenge by accessing other URLs.
If patching is not immediately possible, consider temporarily disabling LDAP mixed authentication or OTP enforcement until the fix can be applied, to prevent bypass.
- Apply the official patch from the MISP repository that adds the __pluginLoginRequiresOtp() method and updates authentication plugin loading.
- Verify that the configuration settings LdapAuth.mixedAuth=true and Security.require_otp=true are correctly enforced.
- Monitor authentication logs for suspicious activity indicating OTP bypass attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with valid primary authentication credentials to bypass the required OTP (One-Time Password) step in MISP when LDAP mixed authentication and OTP enforcement are enabled. By bypassing the OTP step, the attacker can gain unauthorized access to user accounts without completing the multi-factor authentication process.
Such an authentication bypass undermines the security controls intended to protect sensitive data and user identities, which can negatively impact compliance with common standards and regulations like GDPR and HIPAA. These regulations require strong authentication mechanisms to protect personal and sensitive information, and failure to enforce multi-factor authentication properly could lead to violations of these requirements.