CVE Catalog

CVE-2026-10854

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile - higher than 7% of all known CVEs

Summary

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions.

Risk Assessment

Organisations may be exposed to the disclosure of private galaxy metadata, such as galaxy type and description, to users who should not have access. This could lead to privacy breaches and data security issues.

Recommendation

It is recommended that site administrators ensure all galaxies are properly configured for privacy and access settings. Monitoring user access to galaxies should also be implemented to prevent similar incidents in the future.

Original NVD description (English source)

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user’s organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS