CVE-2026-10854
published 2026-06-04CVE-2026-10854: A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.18%
7.3th percentile
A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility.
The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| misp-project | misp | < 2.5.39 | 2.5.39 |
| misp | misp | <= 2.5.38 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations.
ghsa_unreviewed·2026-06-04
CVE-2026-10854 [MEDIUM] CWE-200 A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations.
A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility.
The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.
VulDB
MISP up to 2.5.38 Setting information disclosure
vuldb·2026-06-04·CVSS 5.3
CVE-2026-10854 [MEDIUM] MISP up to 2.5.38 Setting information disclosure
A vulnerability labeled as problematic has been found in MISP up to 2.5.38. Affected by this issue is some unknown functionality of the component Setting Handler. Such manipulation leads to information disclosure.
This vulnerability is documented as CVE-2026-10854. The attack can be executed remotely. There is not any exploit available.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-04
Published