An authenticated, low‑privileged user can manipulate the field options in the dashboard widgets of MISP, causing the underlying query to return unintended model fields. The defect arises when field filtering and redaction are applied in the wrong order, leaving an empty field list and allowing a fallback to permitted default fields that may include sensitive data such as user e‑mail addresses. This results in a breach of confidentiality as restricted user or organisation metadata can be disclosed to users who do not have the correct permissions. The weakness is identified as CWE‑200: Exposure of Sensitive Information to an Unauthorized Actor.

The vulnerability affects the MISP threat intelligence platform, specifically the New Users and New Organisations widgets found on the dashboard. No specific version range is provided in the advisory; however, the patch referenced in the commit address described implementation in the current codebase and is intended for all releases that incorporate the affected widgets.

The CVSS base score of 5.3 places this issue in the moderate severity range. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, there is no evidence of a known, widespread exploitation at this time. The likely attack vector requires legitimate authentication and access to the dashboard widgets; therefore, the threat is primarily internal. An attacker with any access to the front‑end can craft field selections to trigger the bug, making it relatively straightforward for those with user credentials to exploit. The impact is limited to data disclosure rather than code execution or denial of service.