CVE-2026-10868

Gravedad CVSS v4.0:

CRÍTICA

Tipo:

CWE-269 Gestión de privilegios incorrecta

Fecha de publicación:

04/06/2026

Última modificación:

04/06/2026

Descripción

*** Pendiente de traducción *** A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker’s privileges, this could allow unauthorized modification of user account attributes and impact account integrity.<br /> <br /> <br /> <br /> The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation.

Impacto

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N CVSS v4.0 Severidad y Métricas:

Puntuación base: 9.00 CRÍTICA
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:H/SA:N

Vector de acceso (AV): A través de red
Complejidad de acceso (AC): Bajo
Attack Requirements (AT): Present
Privilegios Requeridos (PR): Ninguno
Interacción del usuario (UI): Ninguno
Confidentiality (VC): Bajo
Integrity (VI): Alto
Availability (VA): Ninguno
Confidentiality (SC): Ninguno
Integrity (SI): Alto
Availability (SA): Ninguno

Puntuación base 4.0

9.00

Gravedad 4.0

CRÍTICA

Referencias a soluciones, herramientas e información

https://github.com/MISP/MISP/commit/1be8c413b7104a889dfd30c5b1986e3ab17238e8