CVE-2026-10860 | THREATINT

Description

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-04 | Updated 2026-06-04 | Assigner CIRCL

HIGH: 7.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H

Problem types

CWE-863 Incorrect Authorization

Product status

Default status

unaffected

Any version

affected

Credits

Jeroen Pinoy finder

Andras Iklody remediation developer

References

github.com/...ommit/a5877559dc88ad7a0c935910a652c130489ae2bd patch

cve.org (CVE-2026-10860)

nvd.nist.gov (CVE-2026-10860)

Download JSON