CVE-2026-10854 in MISP
Summary
by MITRE • 06/04/2026
A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility.
The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
This vulnerability represents a critical access control flaw in the event template creation workflow that undermines the fundamental security boundaries of multi-organization threat intelligence platforms. The issue stems from insufficient authorization checks during galaxy metadata retrieval, where the system failed to enforce proper access controls when loading galaxies for event template building. This oversight created a privilege escalation vector that allowed users without administrative privileges to bypass organizational isolation mechanisms and gain visibility into private galaxies belonging to other organizations. The vulnerability specifically affected the galaxy query functionality within the event template creation process, where the system loaded all enabled galaxies regardless of their distribution settings or organizational ownership, exposing sensitive metadata including galaxy types and descriptions to unauthorized users.
The technical implementation flaw demonstrates a failure in the principle of least privilege and proper access control enforcement, which are core requirements defined by CWE-284 Access Control. The system's inability to properly filter galaxy queries based on user permissions and organizational boundaries created a data exposure scenario that could lead to information leakage about threat intelligence assets. This issue particularly impacts organizations that rely on private galaxies to maintain sensitive threat intelligence data within their own boundaries, as the vulnerability allowed unauthorized cross-organizational access to metadata that could reveal strategic intelligence about threat actor behaviors, attack patterns, and defensive measures. The vulnerability aligns with ATT&CK technique T1566 Access Token Manipulation in that it involves unauthorized access to resources that should be restricted to specific organizational contexts.
The operational impact of this vulnerability extends beyond simple metadata exposure, as it fundamentally undermines the trust model of multi-tenant threat intelligence platforms. Organizations using private galaxies for sensitive threat intelligence could have their strategic information disclosed to competitors or unauthorized parties, potentially compromising their defensive capabilities and threat detection effectiveness. The exposure of galaxy metadata could enable adversaries to understand the scope and focus of different organizations' threat intelligence activities, potentially leading to targeted attacks against specific threat actors or defensive measures. Additionally, this vulnerability could be exploited as part of a reconnaissance phase to map out the threat intelligence landscape of multiple organizations, providing valuable context for more sophisticated attacks.
The mitigation implemented addresses the core access control issue by enforcing proper organizational boundaries and distribution settings during galaxy query processing. The solution restricts galaxy queries for non-site-admin users to only include galaxies owned by the user's organization or galaxies with non-private distribution settings, effectively restoring the intended access controls. This approach aligns with the security principle of defense in depth and proper access control implementation. Site administrators retain full visibility of all enabled galaxies as intended, maintaining their ability to manage and oversee the entire threat intelligence ecosystem while ensuring that regular users cannot bypass organizational access controls. The fix also demonstrates proper implementation of the principle of least privilege, ensuring that users only access resources they are authorized to view based on their organizational affiliation and the distribution settings of the threat intelligence data. This remediation approach prevents similar vulnerabilities from occurring in other parts of the system by establishing a consistent access control pattern for galaxy metadata retrieval.