QSearchQSearch

CVE-2026-10611

10.0 CRITICAL

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement

Published: 2026-06-02 · Last updated: 2026-06-16

Severity and scoring

CVSS
10.0 CRITICAL
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-287

Affected products

VendorProduct
mispmisp

Description

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application beforeFilter phase before the normal login flow enforces the OTP challenge. As a result, an attacker with valid primary authentication credentials could bypass the required OTP step by authenticating through the plugin-backed login flow and then directly accessing another application URL instead of completing the OTP verification page. This allows access to the application as the affected user without providing a valid TOTP, HOTP, or email OTP code. The issue affects configurations where plugin-based authentication is enabled and OTP is expected to be mandatory. The fix ensures that OTP requirements are checked immediately after plugin authentication and before the user session is established, redirecting users to the appropriate OTP challenge when required.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-10864 A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields we... (4.3 MEDIUM)
  • CVE-2026-10863 A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlle... (8.1 HIGH)
  • CVE-2026-10860 A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method (6.5 MEDIUM)
  • CVE-2026-10861 An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url... (6.1 MEDIUM)
  • CVE-2026-10856 A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while bei... (6.1 MEDIUM)

Same CWE

  • CVE-2026-48114 Metacat is data repository software that helps researchers preserve, share, and discover data (9.8 CRITICAL)
  • CVE-2026-12183 Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerabili... (9.8 CRITICAL)
  • CVE-2026-50623 An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF (6.5 MEDIUM)
  • CVE-2026-48611 Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading t... (9.8 CRITICAL)
  • CVE-2026-40995 X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, ... (5.4 MEDIUM)