Description
An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application beforeFilter phase before the normal login flow enforces the OTP challenge.



As a result, an attacker with valid primary authentication credentials could bypass the required OTP step by authenticating through the plugin-backed login flow and then directly accessing another application URL instead of completing the OTP verification page. This allows access to the application as the affected user without providing a valid TOTP, HOTP, or email OTP code.



The issue affects configurations where plugin-based authentication is enabled and OTP is expected to be mandatory. The fix ensures that OTP requirements are checked immediately after plugin authentication and before the user session is established, redirecting users to the appropriate OTP challenge when required.
Published: 2026-06-02
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authentication bypass occurs in MISP when LDAP mixed authentication is enabled while OTP is required. The login flow authenticates via an LDAP plugin and establishes a user session before the OTP challenge is enforced, allowing an attacker who possesses valid primary credentials to run through the application without providing a one‑time password. This weakness is classified as CWE‑287 and results in unauthorized access to the application, compromising confidentiality and integrity of the data that the authenticated user can access.

Affected Systems

The vulnerability affects deployments of the MISP software where the configuration LdapAuth.mixedAuth is set to true and Security.require_otp is also enabled. It applies to all users authenticated through LDAP plugins under these settings. No specific product versions are mentioned, so any MISP installation that uses these configuration options is at risk.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, and even though the EPSS score is not available, the risk remains substantial because the flaw allows bypass of a two‑factor authentication mechanism. The vulnerability is not yet listed in CISA’s KEV catalog, but the attack vector is a legitimate authentication flow with valid credentials, making it relatively easy for an adversary to exploit. The risk is high for organizations that rely on OTP as a critical security control.

Generated by OpenCVE AI on June 2, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MISP to a version that includes the commit 39b3cb15 or later, which enforces the OTP challenge immediately after LDAP plugin authentication.
  • If an upgrade cannot be performed right away, temporarily disable OTP enforcement (set Security.require_otp to false) or mixed authentication (set LdapAuth.mixedAuth to false) until the patch is applied.
  • After applying the patch or reconfiguring authentication, test the login flow to ensure that the OTP challenge is presented before a session is established for all users.

Generated by OpenCVE AI on June 2, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application beforeFilter phase before the normal login flow enforces the OTP challenge. As a result, an attacker with valid primary authentication credentials could bypass the required OTP step by authenticating through the plugin-backed login flow and then directly accessing another application URL instead of completing the OTP verification page. This allows access to the application as the affected user without providing a valid TOTP, HOTP, or email OTP code. The issue affects configurations where plugin-based authentication is enabled and OTP is expected to be mandatory. The fix ensures that OTP requirements are checked immediately after plugin authentication and before the user session is established, redirecting users to the appropriate OTP challenge when required.
Title OTP bypass via plugin-based LDAP authentication in MISP when LDAP mixed authentication is enabled
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-02T16:05:19.924Z

Reserved: 2026-06-02T12:45:39.824Z

Link: CVE-2026-10611

cve-icon Vulnrichment

Updated: 2026-06-02T16:05:15.628Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T14:16:44.867

Modified: 2026-06-02T14:47:59.300

Link: CVE-2026-10611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:45:06Z

Weaknesses