Unauthorized exposure of private galaxies in MISP event template creation

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green

Description

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility.

The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

Basic Information

ID CVE-2026-10854

Source CIRCL

Published Jun 4, 2026 at 12:51

Modified Jun 4, 2026 at 13:53

Affected Product

Vendor misp

Product misp

Affected Versions misp misp 0

CWE Classification

CWE-200

References

github.com /MISP/MISP/commit/d3adfe1a097dd4b403364e9af34e208660eeec1a

{
    "lastseen": "",
    "description": "A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility.\n\n\n\nThe issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user\u2019s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.",
    "published": "2026-06-04T12:51:48.562Z",
    "modified": "2026-06-04T13:53:45.610Z",
    "type": "cve",
    "title": "Unauthorized exposure of private galaxies in MISP event template creation",
    "source": "CIRCL",
    "references": "https://github.com/MISP/MISP/commit/d3adfe1a097dd4b403364e9af34e208660eeec1a",
    "id": "CVE-2026-10854",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "misp misp 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "misp",
    "version": "0",
    "vendor": "misp",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Unauthorized exposure of private galaxies in MISP event template creation_CVE-2026-10854