CVE-2026-10864
MEDIUMDescription
A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause the underlying query to fall back to returning unintended model fields. For the New Users widget, this could allow a non-site-admin user to obtain user e-mail addresses even when user e-mail disclosure was disabled by configuration. For the New Organisations widget, crafted field selection could similarly result in unintended organisation fields being included in the dashboard response. The issue was caused by applying field filtering and redaction in a way that could leave the selected field list empty. The patch ensures that the allowed field list is built safely, that restricted fields such as user e-mail addresses are removed before user-supplied field selection is processed, and that an empty field selection falls back only to the permitted default fields. Impact: An authenticated low-privileged user with access to the affected dashboard widgets may be able to disclose restricted user or organisation metadata, including user e-mail addresses depending on configuration.
How to fix
Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Exploit Intelligence
Low risk: more likely to be exploited than 7% of all known CVEs.
References
Related Vulnerabilities
Other CWE-200 (Information Exposure) vulnerabilities, ordered by exploit likelihood. View all
| CVE | Severity | CVSS | EPSS | Exploited | Fix |
|---|---|---|---|---|---|
| CVE-2024-24919 | High | 8.6 | 100% | KEV + Ransom | - |
| CVE-2020-14181 | Medium | 5.3 | 100% | - | Fix |
| CVE-2021-34429 | Medium | 5.3 | 99% | - | Fix |
| CVE-2018-11409 | Medium | 5.3 | 98% | - | - |
| CVE-2021-41277 | Critical | 10.0 | 97% | KEV | - |
| CVE-2016-2183 | High | 7.5 | 96% | - | Fix |
Embed a live status badge for CVE-2026-10864
Markdown
[](https://tridentstack.com/cve/CVE-2026-10864)HTML
<a href="https://tridentstack.com/cve/CVE-2026-10864"><img src="https://tridentstack.com/cve/badge/CVE-2026-10864.svg" alt="CVE-2026-10864"></a>Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-06-22.