Misp · Misp · CVE-2026-10611
**Name of the Vulnerable Software and Affected Versions**
MISP (affected versions not specified)
**Description**
An authentication bypass occurs when LDAP mixed authentication is enabled alongside OTP enforcement. In configurations where `LdapAuth.mixedAuth` is set to `true` and `Security.require otp` is set to `true`, the application may establish an authenticated session during the `beforeFilter` phase before the standard login flow enforces the OTP challenge. This allows an attacker with valid primary credentials to bypass the OTP step by authenticating via the plugin-backed flow and directly accessing an application URL, gaining access without a valid TOTP, HOTP, or email OTP code.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.