QSearchQSearch

CVE-2026-10860

6.5 MEDIUM

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method

Published: 2026-06-04 · Last updated: 2026-06-08

Severity and scoring

CVSS
6.5 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE
CWE-863

Affected products

VendorProduct
mispmisp

Description

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-10864 A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields we... (4.3 MEDIUM)
  • CVE-2026-10863 A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlle... (8.1 HIGH)
  • CVE-2026-10861 An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url... (6.1 MEDIUM)
  • CVE-2026-10856 A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while bei... (6.1 MEDIUM)
  • CVE-2026-10855 An authorization flaw existed in the MISP Event Template Importer overwrite workflow (4.3 MEDIUM)

Same CWE

  • CVE-2026-47238 ClipBucket v5 is an open source video sharing platform (6.5 MEDIUM)
  • CVE-2026-53809 OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to... (3.8 LOW)
  • CVE-2026-53808 OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls t... (6.5 MEDIUM)
  • CVE-2026-53807 OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users... (8.8 HIGH)
  • CVE-2026-46519 mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management (8.8 HIGH)