CVE-2026-10861 | THREATINT

Description

An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence. The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\example.com.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-04 | Updated 2026-06-04 | Assigner CIRCL

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/U:Green

Problem types

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Product status

Default status

unaffected

Any version

affected

Credits

Andras Iklody remediation developer

Jeroen Pinoy finder

References

github.com/...ommit/ae760b7bf534f2798810d59a1f961b31adb3443e patch

cve.org (CVE-2026-10861)

nvd.nist.gov (CVE-2026-10861)

Download JSON