CVE-2026-10864 · A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were

01 · The Real Story

This is less a front-door break-in than a user quietly changing the labels on a sensitive filing cabinet

CVE-2026-10864 is an information-disclosure flaw in MISP dashboard widgets where an authenticated user can tamper with the widget fields option and influence which data fields are returned or rendered. The public description does not publish an authoritative affected version range or fixed version; the latest publicly visible upstream release I found before disclosure was MISP 2.5.38 on 2026-05-20, so treat currently deployed 2.5 builds as *potentially affected until proven otherwise* rather than assuming safety.

There is no vendor CVSS baseline, so this has to be scored from scratch. In practice this is not internet-scale pre-auth RCE; it is a post-auth, app-layer data exposure problem gated behind dashboard functionality, which pushes the rating down. What keeps it out of LOW is that MISP often holds partner, community, or cross-org threat intel, so even a field-selection bypass can disclose data that matters operationally.

"ASSESSED AT MEDIUM: real intel leak potential, but it needs a logged-in user and a narrow dashboard-only path"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get a live MISP session

The attacker starts with a valid MISP account and reaches the dashboard feature through the normal web UI or API-backed settings flow. A practical operator would use a browser plus DevTools or Burp Suite to observe how dashboard widget settings are saved and replayed. Reference: MISP OpenAPI.

Conditions required:

Valid authenticated MISP user account
Dashboard feature enabled and reachable
User can create or modify dashboard widgets or user settings

Where this breaks in practice:

Requires prior credential theft, insider access, or legitimate low-privilege access
Many MISP deployments are internal-only or partner-restricted rather than public internet targets
MFA, SSO, and IP restrictions materially reduce reachable population

Detection/coverage: Most scanners will miss this because it is a logic flaw behind authentication. Look for normal-looking authenticated traffic that updates dashboard settings, especially POSTs touching user dashboard settings.

STEP 02

Tamper with widget field selection

Using Burp Suite Repeater or curl, the attacker modifies the widget configuration payload and inserts a manipulated fields array or equivalent option set. The bug is that the server-side handling does not sufficiently constrain which fields a given widget may request, allowing the user to steer output beyond the intended selection model.

Conditions required:

Ability to submit or replay widget configuration requests
Widget type that consumes a fields option

Where this breaks in practice:

Attacker has to understand the widget schema well enough to craft a working payload
If the backend still enforces object-level ACLs correctly, the leak may be limited to extra fields rather than arbitrary records

Detection/coverage: Good application telemetry can catch unusual fields values or oversized field lists. Commodity network IDS coverage is weak unless you build custom signatures for dashboard-setting endpoints.

STEP 03

Abuse backend trust in the supplied fields

When the widget renders, the backend query path trusts the attacker-influenced field list and returns data into the widget context. A low-effort tool here is just the victim browser; the payload is not necessarily malicious code, just an unauthorized data-shaping request. Reference: MISP dashboard rework release notes.

Conditions required:

The affected widget actually uses the user-controlled field list during query or render
Requested fields exist in the underlying dataset

Where this breaks in practice:

Impact collapses if only already-visible fields are returned
Some widgets may expose only a narrow subset of metadata, not full records

Detection/coverage: This is best caught by server-side request logging and anomaly detection on widget configs. Vulnerability scanners and EDR are unlikely to give strong direct coverage.

STEP 04

Harvest exposed intel and pivot

The result is unauthorized exposure of additional MISP fields inside the dashboard output, which can include metadata, context, or other sensitive threat-intel attributes depending on the widget and permissions model. From there the attacker can use the leaked data for partner-intel collection, cross-org reconnaissance, or better-targeted follow-on abuse rather than direct system compromise.

Conditions required:

Leaked fields contain information the user should not normally see
Target instance stores sensitive partner or community-shared intel

Where this breaks in practice:

No evidence the flaw grants code execution, privilege escalation, or broad record access by itself
Blast radius is bounded by dashboard usage and the specific data model behind the widget

Detection/coverage: Review audit logs and reverse proxy logs for repeated dashboard refreshes or field-list churn from the same account. No widely published off-the-shelf detection signatures were found.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence found of active exploitation. It is not listed in CISA KEV, and I found no public GreyNoise campaign write-up tied to this CVE.
Proof-of-concept availability	No public PoC found in the retrieved upstream sources, releases, or common public references. That lowers immediate copy-paste risk.
EPSS	No public EPSS score located for this CVE at assessment time. FIRST notes EPSS scoring is automated for published CVEs, but no scored record was surfaced in the retrieved sources.
KEV status	Not in KEV as of this assessment. KEV catalog reference: CISA KEV.
CVSS / vector	No vendor CVSS published. My inferred shape is roughly `AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N`, which is why this lands around the mid-4s rather than higher.
Affected versions	Not authoritatively published in the sources I found. Because upstream had public 2.5 releases through 2.5.38 on 2026-05-20, treat currently deployed builds as potentially affected until upstream publishes a fix range.
Fixed version	Not publicly published in the retrieved upstream release notes or advisory pages.
Scanning / exposure data	MISP is commonly deployed as an internal or partner-facing platform rather than a mass-exposed internet app. That sharply limits reachable population compared with edge products; I found no product-specific public Shodan/Censys/GreyNoise count for this CVE in the retrieved sources.
Disclosure date	2026-06-04 per the supplied intel.
Reporter / attribution	No public reporter attribution found in the retrieved upstream materials.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to MEDIUM (4.6/10)

The decisive factor is attacker position: this starts at authenticated remote access and abuses a dashboard-only field-selection path, which means it is already post-initial-access and not broadly reachable. It still earns MEDIUM because MISP stores sensitive shared intelligence, so even a narrow field-level disclosure can have real operational consequences.

HIGH attacker-position friction is materially downward

MEDIUM overall severity bucket

LOW exact affected and fixed version boundaries

Why this verdict

Authenticated remote only: the first prerequisite is a valid MISP session, which implies prior compromise, insider access, or legitimate tenant access and sharply narrows exposure versus pre-auth flaws.
Dashboard path is a niche surface: this is not a universal request path hit by every user or every automation workflow; it depends on widget configuration behavior and a widget type that consumes fields.
Impact is disclosure, not takeover: based on the published description and CWE-200 mapping, this is about influencing returned fields, not achieving code execution, auth bypass, or direct privilege escalation.

Why not higher?

There is no public sign of KEV listing, active exploitation, wormability, or unauthenticated reachability. The attack chain also appears bounded to dashboard widget behavior rather than a core record-access primitive, which keeps the blast radius narrower than the data itself might suggest.

Why not lower?

Calling this LOW would understate the value of the data sitting behind MISP. In real environments, MISP often aggregates sensitive partner intel, embargoed context, and community-shared indicators; a field-selection bypass in that setting is more than harmless UI weirdness.

05 · Compensating Control

What to do — in priority order.

Restrict dashboard access — Limit dashboard and widget-configuration privileges to trusted analyst roles only, especially on multi-org or externally federated MISP instances. For a MEDIUM verdict there is no mitigation SLA, but this is still the best temporary control to apply during the normal change window while you validate exposure.
Log widget-setting changes — Capture and retain reverse-proxy or application logs for requests that modify user dashboard settings, then alert on unusual fields values, long field lists, or repeated dashboard reconfiguration by one account. This gives you at least some behavioral visibility before a vendor-fixed version is identified.
Constrain low-trust accounts — Remove dashboard customization rights from guest, partner, or low-trust analyst accounts if they do not need them. This shrinks the exploitable population without disrupting core event-sharing workflows.
Review shared-intel tenancy — Prioritize instances that host cross-organisation, partner, or community-shared data, because those are where a field-disclosure flaw hurts most. Use your normal change process; for MEDIUM there is no mitigation SLA and the focus is controlled remediation rather than emergency response.

What doesn't work

A WAF alone is weak here because the malicious request is an authenticated, application-valid settings update rather than a noisy exploit string.
Network segmentation alone does not solve the problem once the attacker already has a valid MISP session on the allowed network path.
Unauthenticated perimeter scanning will often report nothing because the vulnerable logic sits behind login and user-specific dashboard behavior.

06 · Verification

Crowdsourced verification payload.

Run this on the MISP application host as a user that can read the MISP installation directory; root is not required unless file permissions are locked down. Invoke it as bash verify-cve-2026-10864.sh /var/www/MISP and it will use a conservative heuristic: versions up to 2.5.38 with dashboard code present are flagged VULNERABLE, newer builds are UNKNOWN until upstream publishes a fixed version.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# verify-cve-2026-10864.sh
# Heuristic exposure check for CVE-2026-10864 in MISP dashboard widgets.
# Usage: bash verify-cve-2026-10864.sh /var/www/MISP
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/error

set -u

ROOT="${1:-}"
if [[ -z "$ROOT" || ! -d "$ROOT" ]]; then
  echo "UNKNOWN - usage: bash verify-cve-2026-10864.sh /path/to/MISP"
  exit 3
fi

normalize_ver() {
  local v="$1"
  v="${v#v}"
  v="${v#MISP }"
  v="${v%% *}"
  echo "$v"
}

get_version() {
  local root="$1"
  local v=""

  if command -v git >/dev/null 2>&1 && [[ -d "$root/.git" ]]; then
    v=$(git -C "$root" describe --tags --abbrev=0 2>/dev/null || true)
    if [[ -n "$v" ]]; then
      normalize_ver "$v"
      return 0
    fi
  fi

  for f in "$root/VERSION" "$root/VERSION.json" "$root/app/VERSION" "$root/app/VERSION.json"; do
    if [[ -f "$f" ]]; then
      v=$(grep -Eo 'v?[0-9]+\.[0-9]+\.[0-9]+' "$f" 2>/dev/null | head -n1 || true)
      if [[ -n "$v" ]]; then
        normalize_ver "$v"
        return 0
      fi
    fi
  done

  return 1
}

ver_lte() {
  # returns 0 if $1 <= $2
  [[ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" == "$1" ]]
}

DASHBOARD_PRESENT="no"
if [[ -d "$ROOT/app/Lib/Dashboard" || -d "$ROOT/app/View/Elements/dashboard" || -d "$ROOT/app/View/Dashboards" ]]; then
  DASHBOARD_PRESENT="yes"
fi

VERSION=""
if VERSION=$(get_version "$ROOT"); then
  :
else
  echo "UNKNOWN - could not determine installed MISP version; dashboard_present=$DASHBOARD_PRESENT"
  exit 2
fi

if [[ "$DASHBOARD_PRESENT" != "yes" ]]; then
  echo "UNKNOWN - MISP version=$VERSION but dashboard code path not clearly present"
  exit 2
fi

# Public upstream release visibility reached 2.5.38 on 2026-05-20 in retrieved sources.
# No authoritative fixed version for CVE-2026-10864 was found during assessment.
CUTOFF="2.5.38"

if ver_lte "$VERSION" "$CUTOFF"; then
  echo "VULNERABLE - MISP version=$VERSION is at or below public pre-disclosure cutoff $CUTOFF and dashboard code is present"
  exit 1
fi

echo "UNKNOWN - MISP version=$VERSION is newer than $CUTOFF, but no authoritative fixed version was publicly identified for CVE-2026-10864"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: inventory every MISP instance, identify which ones allow dashboard customization by ordinary users, and treat partner-facing or multi-org instances as the first validation targets. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; that means you do not need emergency patch handling, but you do need a tracked remediation item to move onto the vendor-fixed version once one is published, inside the noisgate remediation SLA of ≤365 days. If you cannot quickly validate exposure, temporarily narrow dashboard access for low-trust users during routine change control rather than burning an outage window.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.