Description
An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path.




An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence.




The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\example.com.
Published: 2026-06-04
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in MISP UsersController::routeafterlogin and occurs when the application trusts a value stored in the pre_login_requested_url session key to determine the post‑login redirect destination. Because the value is not verified, an attacker can supply an arbitrary external URL, causing authenticated users to be sent to a site chosen by the attacker. This weakness, classified as CWE‑601, can be leveraged to enhance phishing credibility or redirect users to malicious or counterfeit login interfaces, thereby compromising the confidentiality of session data and the integrity of the user experience.

Affected Systems

The affected product is MISP, version information is not disclosed in this advisory. Any instance of MISP running the UsersController::routeafterlogin method without the fix is vulnerable. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity. The EPSS score is not reported, so the likelihood of exploitation is uncertain. The vulnerability is not listed in CISA KEV. A likely attack requires that the victim authenticate to the private MISP instance after following a malicious link, after which the attacker’s supplied URL will be used for redirection. Because the vulnerability depends on user authentication, the attacker must first get the victim to log in, but once logged in the redirection is automatic. The absence of strict validation of the redirect target is the primary defect.

Generated by OpenCVE AI on June 4, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MISP instance to the latest release that incorporates the URL validation logic to ensure only local redirects are allowed
  • Verify that any custom redirect configuration in the application enforces internal URL paths and rejects external schemes, hosts, or protocol‑relative links
  • Monitor authentication and redirect logs for any instances of unexpected external redirects to confirm that the fix is effective

Generated by OpenCVE AI on June 4, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence. The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\example.com.
Title MISP post-login open redirect via pre_login_requested_url
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/U:Green'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-04T13:45:14.922Z

Reserved: 2026-06-04T13:25:04.695Z

Link: CVE-2026-10861

cve-icon Vulnrichment

Updated: 2026-06-04T13:45:11.523Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T14:16:38.090

Modified: 2026-06-08T13:56:38.247

Link: CVE-2026-10861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:00:14Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')