CVE-2026-10860
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk10th percentile - higher than 10% of all known CVEs
Summary
A logic error in the MISP CRUD component delete handler allows validation failures to be bypassed when using the HTTP DELETE method. Due to missing parentheses in the delete condition, a DELETE request could proceed even when the validation callback rejected the operation.
Risk Assessment
The risk is that an authenticated attacker with access to an affected delete endpoint could delete records that should have been protected by application-level validation or authorization checks.
Recommendation
It is recommended to fix the validation logic in the delete handler to ensure that DELETE requests are properly verified before executing the operation.
Original NVD description (English source)
A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.

