CVE-2026-10861

An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre login requested url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path.

An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence.

The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /example.com.