Description
A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.
Published: 2026-06-04
Score: 7.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in the delete handler of the MISP CRUD component causes validation failures to be bypassed for HTTP DELETE requests. Because the missing parentheses make the delete condition evaluate as (validationError is null AND request method is POST) OR request method is DELETE, an authenticated attacker can send a DELETE request and successfully delete a record even when the application‑level validation callback would otherwise deny the operation. This flaw allows the destruction of data that should have been protected by validation or authorization checks, compromising data integrity and availability.

Affected Systems

The vulnerability affects the MISP platform from the vendor misp. Affected product: MISP MISP. No specific version information is provided in the CVE data; administrators should verify if their deployed MISP instance contains the code referenced in the GitHub commit audit.

Risk and Exploitability

The CVSS score of 7.9 indicates high severity, but the EPSS score is not available, suggesting that the exploit probability is not quantified. The flaw is not listed in the CISA KEV catalog. The attack requires an authenticated user with access to a delete endpoint; the attacker can send an HTTP DELETE request to trigger the bypass. No additional prerequisites beyond authentication are described in the CVE data, implying that once the user can authenticate to the MISP service, the deletion can be performed.

Generated by OpenCVE AI on June 4, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MISP installation to the latest release that incorporates the commit a5877559dc88ad7a0c935910a652c130489ae2bd, which resolves the delete-validation bypass.
  • Verify that the deployed code base includes the fixed logic by checking the git revision or inspecting the delete handler for the corrected parentheses expression.
  • As a temporary protective measure, restrict HTTP DELETE access to administrative users only or block the delete endpoint for non‑privileged roles using your web server or application firewall until the patch is applied.

Generated by OpenCVE AI on June 4, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.
Title MISP CRUDComponent delete validation bypass via operator precedence error
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-11T13:24:54.103Z

Reserved: 2026-06-04T13:25:04.022Z

Link: CVE-2026-10860

cve-icon Vulnrichment

Updated: 2026-06-04T17:16:30.678Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T15:16:49.433

Modified: 2026-06-08T13:54:42.657

Link: CVE-2026-10860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T16:00:17Z

Weaknesses