Description
A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value was processed by the underlying data access layer, this could allow manipulation of database query ordering and potentially expose the application to unsafe query construction.



The patch removes order from the set of request-controlled parameters and instead sets the ordering server-side to occurrence desc after processing allowed user parameters.



Affected component:
app/Controller/CorrelationsController.php, overCorrelations()



Security impact:
An authenticated attacker could influence the ordering clause used by the over-correlations query. The direct impact appears limited to query manipulation unless further evidence confirms SQL injection or unauthorized data exposure through the manipulated ordering expression.
Published: 2026-06-04
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the over‑correlation endpoint accepting an "order" query parameter directly from authenticated client requests. This allows the attacker to override the server‑defined ordering of over‑correlating values. The underlying data access layer could interpret the supplied value as part of the SQL ORDER BY clause, leading to manipulation of query ordering. The CVE description indicates that the impact appears limited to query manipulation unless further evidence of SQL injection or data exposure can be demonstrated. The weakness is a classic input‑validation flaw (CWE‑20).

Affected Systems

Affected components are MISP’s CorrelationsController, specifically the overCorrelations action defined in app/Controller/CorrelationsController.php. No specific version numbers are listed, but the fix is present in the commit referenced in the CVE. The vendor is misp, product MISP.

Risk and Exploitability

The risk is moderate with a CVSS score of 6.4 and no EPSS data available. The vulnerability is not cataloged in the CISA KEV list. It requires authentication, so it is not exploitable by unauthenticated users. The potential for exploitation rests on the data layer’s handling of the ordering clause. Attackers could reorder results, potentially exposing sensitive patterns or bypassing standard retrieval limits. While no confirmed exploitation is reported, the possibility of injection should be considered if the ordering value is not properly sanitized. Overall, the likelihood is low to moderate, but the impact on data visibility warrants timely remediation.

Generated by OpenCVE AI on June 4, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MISP to the latest release or apply the referenced patch that removes the "order" parameter from user‑controlled request data and enforces server‑side ordering.
  • Verify that the over‑correlations endpoint no longer accepts an "order" query parameter from client requests.
  • Ensure that any remaining ordering logic in the data access layer uses parameterized queries or explicit sanitization to prevent unsafe SQL construction.

Generated by OpenCVE AI on June 4, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value was processed by the underlying data access layer, this could allow manipulation of database query ordering and potentially expose the application to unsafe query construction. The patch removes order from the set of request-controlled parameters and instead sets the ordering server-side to occurrence desc after processing allowed user parameters. Affected component: app/Controller/CorrelationsController.php, overCorrelations() Security impact: An authenticated attacker could influence the ordering clause used by the over-correlations query. The direct impact appears limited to query manipulation unless further evidence confirms SQL injection or unauthorized data exposure through the manipulated ordering expression.
Title MISP User-controlled order parameter in correlations over-correlation endpoint
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-04T13:44:49.399Z

Reserved: 2026-06-04T13:43:25.158Z

Link: CVE-2026-10863

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-04T15:16:49.690

Modified: 2026-06-04T15:19:41.920

Link: CVE-2026-10863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:30:17Z

Weaknesses