CVE-2026-10864 in MISP
Summary
by MITRE • 06/04/2026
A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause the underlying query to fall back to returning unintended model fields.
For the New Users widget, this could allow a non-site-admin user to obtain user e-mail addresses even when user e-mail disclosure was disabled by configuration. For the New Organisations widget, crafted field selection could similarly result in unintended organisation fields being included in the dashboard response.
The issue was caused by applying field filtering and redaction in a way that could leave the selected field list empty. The patch ensures that the allowed field list is built safely, that restricted fields such as user e-mail addresses are removed before user-supplied field selection is processed, and that an empty field selection falls back only to the permitted default fields.
Impact: An authenticated low-privileged user with access to the affected dashboard widgets may be able to disclose restricted user or organisation metadata, including user e-mail addresses depending on configuration.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
This vulnerability resides within the MISP (Malware Information Sharing Platform) dashboard functionality, specifically affecting the New Users and New Organisations widgets that display recent user and organizational data. The flaw represents a privilege escalation and information disclosure issue that undermines the platform's access control mechanisms and data protection policies. The vulnerability manifests when authenticated users manipulate field selection parameters within dashboard widgets, creating a scenario where the system's field validation and redaction processes fail to properly handle edge cases. This misconfiguration allows malicious actors to bypass intended security restrictions and access sensitive information that should remain protected.
The technical implementation flaw stems from improper field filtering and redaction logic that processes user-supplied field selections before applying security restrictions. When users specify field sets for dashboard queries, the system performs validation and redaction operations that can result in empty field lists under certain conditions. This occurs because the validation process does not adequately account for all possible combinations of user input and system restrictions, leading to scenarios where no fields remain after processing. The underlying database queries then fall back to returning unintended model fields that were not part of the original user request, creating an information leakage pathway. This type of vulnerability aligns with CWE-20: Improper Input Validation and CWE-215: Information Exposure Through Debug Information, as it involves both inadequate input handling and unintended information disclosure.
The operational impact of this vulnerability extends beyond simple data exposure, as it allows low-privileged users to circumvent configuration-based security controls that should prevent email address disclosure. When user email disclosure is disabled through platform configuration, the vulnerability enables attackers to retrieve this sensitive information through crafted field selection requests. Similarly, the New Organisations widget can be manipulated to return unintended organizational metadata that was not intended for public viewing. This represents a significant breach of the principle of least privilege, where users should only access information necessary for their roles. The vulnerability affects the platform's ability to maintain proper data segregation and could potentially expose sensitive organizational information to unauthorized users.
Security controls for this vulnerability were implemented through a comprehensive patch that addresses the core validation and redaction process. The fix ensures that allowed field lists are constructed using safe operations that prevent empty selections from occurring, while also removing restricted fields such as user email addresses before processing user-supplied field selections. The patch implements proper fallback mechanisms that restrict empty field selections to only permitted default fields, eliminating the possibility of unintended information disclosure. This remediation aligns with ATT&CK technique T1078.004: Valid Accounts, as it prevents unauthorized access to sensitive information through legitimate user accounts. The patch also addresses security misconfiguration patterns that could be exploited by adversaries to gain unauthorized access to sensitive data within the platform's dashboard functionality.
The vulnerability demonstrates the importance of proper input validation and secure coding practices in web applications, particularly those handling sensitive security information. It highlights the risks associated with complex field selection mechanisms that do not adequately account for security restrictions during processing. Organizations using MISP platforms should ensure immediate patch deployment to prevent exploitation of this vulnerability and maintain proper access controls for dashboard functionality. The incident underscores the necessity of comprehensive security testing for dashboard and reporting features, particularly those that aggregate and display user and organizational data. Regular security assessments should include validation of field selection processes to prevent similar issues from arising in other platform components.