CVE-2026-10854 | THREATINT

Description

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-04 | Updated 2026-06-04 | Assigner CIRCL

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/U:Green

Problem types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status

unaffected

Any version

affected

Credits

Andras Iklody remediation developer

References

github.com/...ommit/d3adfe1a097dd4b403364e9af34e208660eeec1a patch

cve.org (CVE-2026-10854)

nvd.nist.gov (CVE-2026-10854)

Download JSON