CVE-2026-10868
Deferred Deferred - Pending Action
Mass Assignment in MISP User Edit Functionality

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity. The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-25
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-10868
EUVD
EUVD-2026-34289
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp to 1be8c413b7104a889dfd30c5b1986e3ab17238e8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a mass assignment issue in the MISP application's user edit functionality. It occurs because the application does not properly filter user-supplied fields, allowing an authenticated attacker to submit a request with a different user's ID. This can cause updates to be applied to another user's account instead of the intended one.

Essentially, the attacker can modify user account attributes that they should not have access to by exploiting the insufficient filtering of the User.id field during the edit process.

Impact Analysis

This vulnerability can allow an attacker to modify attributes of other users' accounts without authorization. Depending on the fields that can be edited and the attacker's privileges, this could compromise account integrity and potentially lead to unauthorized access or changes within the system.

Mitigation Strategies

To mitigate this vulnerability, ensure that the application explicitly removes or unsets the 'id' field from user-supplied request data during user edit operations.

Specifically, apply the fix as shown in the MISP repository commit 1be8c413b7104a889dfd30c5b1986e3ab17238e8, which modifies the UsersController.php file to prevent modification of the 'id' field by unsetting it if present in the request.

This prevents attackers from changing user identifiers and thus protects against unauthorized modifications to user accounts.

Compliance Impact

The vulnerability allows an authenticated attacker to modify user account attributes of other users by exploiting insufficient filtering in the user edit functionality. This unauthorized modification can impact account integrity and potentially lead to unauthorized access or changes to personal data.

Such unauthorized modifications and potential data integrity issues could negatively affect compliance with standards and regulations like GDPR and HIPAA, which require strict controls over personal data access and modification to protect user privacy and data security.

Detection Guidance

This vulnerability involves the acceptance of a user-controlled User.id value in edit requests, allowing unauthorized modification of user accounts. To detect exploitation attempts on your system or network, you should monitor for unusual or unauthorized HTTP requests to the user edit endpoint that include an 'id' field in the request data.

One way to detect this is by inspecting web server logs or application logs for requests to the user edit functionality containing an 'id' parameter that differs from the authenticated user's ID.

Example commands to search for such suspicious requests in logs might include:

  • Using grep to find requests containing 'id' in access logs: grep -i 'id=' /var/log/apache2/access.log
  • Using grep to find POST requests to the user edit endpoint containing 'id' in request bodies (if logged): grep -i 'POST /users/edit' /var/log/apache2/access.log | grep 'id='
  • If application logs contain parsed request data, search for entries where the 'id' field is present in user edit operations.

Additionally, implementing web application firewall (WAF) rules to block or alert on requests attempting to modify the 'id' field during user edits can help detect or prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10868. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart