Description
A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility.



The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.
Published: 2026-06-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A visibility control flaw in MISP’s event template creation workflow allowed non‑site‑admin users to load all enabled galaxies without applying organization or distribution checks. As a result, those users could view private galaxy metadata such as type and description from other organizations, constituting a confidentiality breach that maps to CWE‑200 and is reflected in the CVSS score of 5.3.

Affected Systems

The issue affects installations of the MISP platform (Malware Information Sharing Platform) that include the event template creation feature. Any version of MISP that has not yet incorporated the change in commit d3adfe1a, which added organization‑based filtering for non‑admin users, is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity risk. Although EPSS is not available, the fact that private galaxy metadata can be exposed makes the vulnerability useful for attackers seeking internal knowledge. The vulnerability is accessed through the web UI during event template creation; non‑site‑admin users can inadvertently trigger it by generating a new template. The vulnerability is not listed in the CISA KEV catalog, and no specific exploit code is publicly known. Nevertheless, the lack of proper access restrictions provides a clear avenue for information disclosure.

Generated by OpenCVE AI on June 4, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MISP release that includes the commit d3adfe1a which limits galaxy queries for non‑site‑admin users to galaxies owned by the user’s organization or those with a non‑private distribution setting.
  • If an upgrade is not feasible, patch the event template creation code to apply the same organization and distribution filters manually, ensuring the galaxy query only returns allowed galaxies.
  • Enable logging of galaxy access attempts and regularly review logs for unexpected visibility of private galaxy data.

Generated by OpenCVE AI on June 4, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Thu, 04 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.
Title Unauthorized exposure of private galaxies in MISP event template creation
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-04T13:53:45.610Z

Reserved: 2026-06-04T12:51:30.792Z

Link: CVE-2026-10854

cve-icon Vulnrichment

Updated: 2026-06-04T13:53:41.387Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T14:16:37.630

Modified: 2026-06-05T19:51:39.410

Link: CVE-2026-10854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T16:30:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor