CVE-2026-10860 in MISP
Summary
by MITRE • 06/04/2026
A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/04/2026
The vulnerability described represents a critical logic error within the MISP (Malware Information Sharing Platform) CRUD component that fundamentally undermines the application's data protection mechanisms. This flaw exists specifically within the delete handler's validation logic, where a simple syntactical omission creates a dangerous bypass condition that can be exploited by authenticated attackers. The vulnerability stems from a missing set of parentheses in the conditional evaluation that determines whether a delete operation should be permitted, creating a logical flaw that allows unauthorized deletions to proceed despite validation failures.
The technical implementation of this vulnerability demonstrates a classic example of improper input validation and access control enforcement within web applications. When a DELETE request is made to an affected endpoint, the system should normally validate whether the operation is authorized and whether all business rules are satisfied before permitting the deletion. However, due to the missing parentheses in the conditional expression, the validation logic evaluates as ($validationError === null && POST) || DELETE, which means that any DELETE request will be permitted regardless of whether the validation callback has explicitly rejected the operation. This logical structure essentially grants DELETE privileges to any authenticated user who can submit a DELETE request, bypassing all application-level validation checks that should normally prevent such operations.
The operational impact of this vulnerability is significant and potentially devastating for organizations relying on MISP for threat intelligence sharing and malware analysis. An authenticated attacker with access to any affected delete endpoint could systematically remove critical threat data, intelligence reports, or malware samples that should be protected by the application's validation and authorization mechanisms. This could lead to data loss, compromised threat intelligence, and potential operational disruption for security teams who depend on complete and accurate datasets for their analysis activities. The vulnerability particularly affects environments where MISP is used for collaborative threat intelligence sharing, as unauthorized deletions could compromise the integrity of shared threat data across multiple organizations.
This vulnerability aligns with several established security frameworks and threat models, including CWE-691, which addresses insufficient control flow management, and CWE-862, which covers insufficient authorization. The flaw also maps to ATT&CK technique T1485, which involves data destruction through unauthorized deletion of files or records. Organizations should implement immediate mitigations including code review and correction of the conditional logic to ensure proper parentheses placement, along with comprehensive testing of all CRUD operations to verify that validation callbacks properly prevent unauthorized deletions. Additional defensive measures should include enhanced monitoring of delete operations, implementation of audit trails for all data modification activities, and regular security assessments of application logic to identify similar logical flaws in other components. The fix requires careful attention to ensure that validation errors are properly evaluated and that all conditional logic correctly enforces the intended authorization and validation checks.