CVE-2026-10868 in MISP
Summary
by MITRE • 06/04/2026
A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity.
The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
The vulnerability under examination represents a classic mass assignment flaw within the MISP (Malware Information Sharing Platform) user management system. This weakness manifests in the UsersController::edit() method where the application fails to properly validate and filter user-supplied input parameters. The core technical issue stems from the application's indiscriminate acceptance of all request data without proper sanitization, allowing malicious actors to inject arbitrary parameters including the critical User.id field. This type of vulnerability is categorized under CWE-915 which specifically addresses improper control of generation of code or system calls, and falls within the broader category of insecure direct object references as defined by CWE-639.
The operational impact of this vulnerability extends beyond simple data modification, as it enables authenticated attackers to perform unauthorized account takeovers or data manipulation across multiple user profiles. When an attacker crafts a malicious request containing a modified User.id value, the system processes this input without validation, potentially allowing updates to be applied to unintended user accounts. The severity of this issue depends largely on the attacker's privileges and the editable fields available within the user interface, but it fundamentally compromises account integrity and user data confidentiality. This vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and T1566 which covers credential stuffing and account manipulation, making it particularly dangerous in environments where user authentication is critical.
The exploitation of this vulnerability requires an authenticated attacker who can manipulate request parameters through the user edit functionality. The attacker's ability to modify the User.id field in the request data creates a pathway for cross-user data modification, potentially allowing privilege escalation or data corruption. The fix implemented by explicitly removing the User.id field from request data before processing the edit operation represents a proper defensive measure that prevents unauthorized object reference manipulation. This approach follows the principle of least privilege and input validation, ensuring that only authorized fields are processed during user account modifications. The solution effectively addresses the root cause by preventing the mass assignment of critical identifiers while maintaining the functionality of legitimate user editing operations.
Security practitioners should note that this vulnerability highlights the importance of proper input validation and parameter filtering in web applications, particularly those handling user account management. The implementation of explicit field whitelisting or blacklisting mechanisms, combined with proper authentication and authorization checks, provides comprehensive protection against similar mass assignment vulnerabilities. Organizations using MISP or similar platforms should ensure that all user-editable fields are properly validated and that critical identifiers such as User.id are never accepted from untrusted input sources. The fix implemented demonstrates a robust approach to vulnerability remediation that can serve as a model for similar issues in other web applications where user data modification is permitted.