CVE-2026-10854 | A visibility control issue in the event template creation wo… | CVSS 5.3 MEDIUM

Description

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

Metadata

CVE ID: CVE-2026-10854
State: PUBLISHED
Assigner: CIRCL
Reserved: 2026-06-04 12:51 UTC
Published: 2026-06-04 12:51 UTC
Last updated: 2026-06-04 13:53 UTC
Primary CWE: CWE-200
CWE-200 Exposure of Sensitive Information to an Unauthorized…
Vendor / Product: misp / misp
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
misp	misp	—	0 ≤ 2.5.38

Weakness (CWE)

CWE	Source	Description
CWE-200	cna	CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green

References (1)

https://github.com/MISP/MISP/commit/d3adfe1a097dd4b403364e9af34e208660eeec1a