CVE Catalog

CVE-2026-10611

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile — higher than 27% of all known CVEs

Summary

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. Users can access the application without going through the required OTP verification step.

Risk Assessment

An attacker with valid authentication credentials could bypass the OTP requirement, leading to unauthorized access to the application as another user. This poses a serious threat to data security.

Recommendation

It is recommended to update the configuration to enforce OTP verification immediately after plugin authentication, before the user session is established. Ensure users are redirected to the appropriate OTP verification page.

Original NVD description (English source)

An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application beforeFilter phase before the normal login flow enforces the OTP challenge. As a result, an attacker with valid primary authentication credentials could bypass the required OTP step by authenticating through the plugin-backed login flow and then directly accessing another application URL instead of completing the OTP verification page. This allows access to the application as the affected user without providing a valid TOTP, HOTP, or email OTP code. The issue affects configurations where plugin-based authentication is enabled and OTP is expected to be mandatory. The fix ensures that OTP requirements are checked immediately after plugin authentication and before the user session is established, redirecting users to the appropriate OTP challenge when required.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS