CVE-2026-39962
Received Received - Intake
LDAP Injection in MISP ApacheAuthenticate.php Allows Authentication Bypass

Publication date: 2026-04-09

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39962
EUVD
EUVD-2026-20966
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
misp misp to 2.5.36 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-90 The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39962 is an LDAP injection vulnerability in the MISP platform's ApacheAuthenticate.php component. It occurs when the ApacheAuthenticate.apacheEnv configuration uses a user-controlled Apache environment variable instead of the default REMOTE_USER, such as in certain proxy setups.

Because the username value from this environment variable is not properly sanitized before being used in LDAP queries, an attacker who can control this value can manipulate the LDAP search filter. This manipulation can allow the attacker to bypass authentication controls or execute unauthorized LDAP queries.

The vulnerability is due to improper neutralization of special elements in LDAP queries, classified under CWE-20 (Improper Input Validation). It affects MISP versions prior to 2.5.36 and has a high severity with a CVSS v4 score of 8.8.

Compliance Impact

The LDAP injection vulnerability in MISP allows an attacker to manipulate LDAP queries and potentially bypass authentication controls or execute unauthorized LDAP queries. This can lead to unauthorized access to sensitive information and compromise system integrity.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data, as well as ensuring data confidentiality and integrity.

Therefore, if exploited, this vulnerability could result in violations of these regulations due to unauthorized data access or manipulation.

Impact Analysis

This vulnerability can have serious impacts including allowing remote attackers to bypass authentication constraints or perform unauthorized LDAP queries without needing any privileges.

Such unauthorized access can compromise the confidentiality and integrity of the system, potentially exposing sensitive information or allowing malicious modifications.

The impact on availability is considered low initially, but subsequent system impact can be high across confidentiality, integrity, and availability.

Detection Guidance

This vulnerability involves LDAP injection via unsanitized username values in LDAP queries when the ApacheAuthenticate.apacheEnv configuration uses a user-controlled server variable instead of REMOTE_USER. Detection involves monitoring for unusual or unauthorized LDAP queries or authentication bypass attempts that exploit this injection.

Since the vulnerability arises from unsanitized input in LDAP filters, you can detect attempts by inspecting LDAP query logs or Apache environment variables for suspicious characters or patterns that could indicate LDAP injection attempts.

No explicit detection commands are provided in the resources, but general approaches include:

  • Review Apache logs and environment variables for unexpected or malformed username values.
  • Monitor LDAP server logs for unusual search filters or queries that contain special LDAP characters or injection patterns.
  • Use network monitoring tools to capture and analyze LDAP traffic for suspicious filter strings.

For example, commands to check environment variables or logs might include:

  • On the server, check Apache environment variables: `printenv | grep -i user` or `env | grep -i user` to identify user-controlled variables.
  • Examine LDAP logs (location depends on LDAP server) for suspicious filters, e.g., `grep -i '(' /var/log/ldap/ldap.log`.
  • Use network capture tools like `tcpdump` or `wireshark` to filter LDAP traffic and inspect search filters.
Mitigation Strategies

The primary mitigation step is to update MISP to version 2.5.36 or later, where this LDAP injection vulnerability has been fixed.

The fix involves sanitizing the username input used in LDAP queries by applying the ldap_escape function with the LDAP_ESCAPE_FILTER flag, preventing injection of malicious LDAP filter content.

Additional immediate steps include:

  • Ensure that the ApacheAuthenticate.apacheEnv configuration is set to use REMOTE_USER instead of any user-controlled server variables, especially in proxy setups.
  • Review and restrict any proxy or header configurations that allow user-controlled input to be passed into Apache environment variables used for authentication.
  • Apply any available patches or updates from the MISP project promptly.
  • Audit LDAP queries and authentication mechanisms to confirm that input sanitization is in place.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart