CVE-2026-10863
Analyzed Analyzed - Analysis Complete
Authentication Bypass via Order Parameter in CorrelationsController

Publication date: 2026-06-04

Last updated on: 2026-06-08

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value was processed by the underlying data access layer, this could allow manipulation of database query ordering and potentially expose the application to unsafe query construction. The patch removes order from the set of request-controlled parameters and instead sets the ordering server-side to occurrence desc after processing allowed user parameters. Affected component: app/Controller/CorrelationsController.php, overCorrelations() Security impact: An authenticated attacker could influence the ordering clause used by the over-correlations query. The direct impact appears limited to query manipulation unless further evidence confirms SQL injection or unauthorized data exposure through the manipulated ordering expression.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-08
Generated
2026-06-16
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-10863
EUVD
EUVD-2026-34265
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp to 2.5.39 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the 'order' query parameter in the over-correlation endpoint of an application. Originally, the application accepted the 'order' parameter from user-controlled request parameters, allowing an authenticated user to override the server-defined ordering of query results.

Because the ordering value was processed by the underlying data access layer, this could lead to manipulation of the database query ordering and potentially unsafe query construction.

The vulnerability was fixed by removing the 'order' parameter from user control and instead setting the ordering server-side to a fixed value ('occurrence desc'), preventing users from influencing the query order.

Impact Analysis

An authenticated attacker could manipulate the ordering clause used in the over-correlations query. While the direct impact is limited to query manipulation, this could potentially lead to unsafe query construction.

If further exploited, this might expose the application to risks such as SQL injection or unauthorized data exposure through the manipulated ordering expression, although no direct evidence confirms this.

Detection Guidance

Detection of this vulnerability involves checking if the 'order' query parameter in the over-correlation endpoint is controllable by an authenticated user. Specifically, you can test whether sending requests with different 'order' parameters affects the ordering of query results.

A practical approach is to perform authenticated requests to the over-correlation endpoint with varying 'order' parameters and observe if the response ordering changes accordingly.

  • Use curl or similar tools to send authenticated requests with different 'order' values, for example: curl -X GET -H "Authorization: Bearer <token>" "https://<target>/correlations/over-correlation?order=some_malicious_value"
  • Compare the response data ordering to see if the 'order' parameter is being accepted and applied.
Mitigation Strategies

The immediate mitigation is to ensure that the 'order' parameter cannot be controlled by user input in the over-correlation endpoint.

Specifically, update the affected code (app/Controller/CorrelationsController.php) to remove the 'order' parameter from user-controllable request parameters and hardcode the ordering server-side to a safe value such as 'occurrence desc'.

Applying the patch from the referenced commit (Resource 1) will prevent unauthorized manipulation of the query ordering and reduce the risk of unsafe query construction.

Compliance Impact

The vulnerability allows an authenticated user to manipulate the ordering clause in database queries, which could potentially lead to unsafe query construction. However, the direct impact is limited to query manipulation without confirmed SQL injection or unauthorized data exposure.

Since there is no confirmed unauthorized data exposure or data breach, the vulnerability's direct effect on compliance with standards like GDPR or HIPAA is limited. Nonetheless, any potential for unsafe query construction or data exposure could pose risks to data integrity and confidentiality, which are critical for compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10863. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart