CVE-2026-39962
LDAP Injection in MISP ApacheAuthenticate.php Allows Authentication Bypass
Publication date: 2026-04-09
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| misp | misp | to 2.5.36 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-90 | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39962 is an LDAP injection vulnerability in the MISP platform's ApacheAuthenticate.php component. It occurs when the ApacheAuthenticate.apacheEnv configuration uses a user-controlled Apache environment variable instead of the default REMOTE_USER, such as in certain proxy setups.
Because the username value from this environment variable is not properly sanitized before being used in LDAP queries, an attacker who can control this value can manipulate the LDAP search filter. This manipulation can allow the attacker to bypass authentication controls or execute unauthorized LDAP queries.
The vulnerability is due to improper neutralization of special elements in LDAP queries, classified under CWE-20 (Improper Input Validation). It affects MISP versions prior to 2.5.36 and has a high severity with a CVSS v4 score of 8.8.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The LDAP injection vulnerability in MISP allows an attacker to manipulate LDAP queries and potentially bypass authentication controls or execute unauthorized LDAP queries. This can lead to unauthorized access to sensitive information and compromise system integrity.
Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data, as well as ensuring data confidentiality and integrity.
Therefore, if exploited, this vulnerability could result in violations of these regulations due to unauthorized data access or manipulation.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including allowing remote attackers to bypass authentication constraints or perform unauthorized LDAP queries without needing any privileges.
Such unauthorized access can compromise the confidentiality and integrity of the system, potentially exposing sensitive information or allowing malicious modifications.
The impact on availability is considered low initially, but subsequent system impact can be high across confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves LDAP injection via unsanitized username values in LDAP queries when the ApacheAuthenticate.apacheEnv configuration uses a user-controlled server variable instead of REMOTE_USER. Detection involves monitoring for unusual or unauthorized LDAP queries or authentication bypass attempts that exploit this injection.
Since the vulnerability arises from unsanitized input in LDAP filters, you can detect attempts by inspecting LDAP query logs or Apache environment variables for suspicious characters or patterns that could indicate LDAP injection attempts.
No explicit detection commands are provided in the resources, but general approaches include:
- Review Apache logs and environment variables for unexpected or malformed username values.
- Monitor LDAP server logs for unusual search filters or queries that contain special LDAP characters or injection patterns.
- Use network monitoring tools to capture and analyze LDAP traffic for suspicious filter strings.
For example, commands to check environment variables or logs might include:
- On the server, check Apache environment variables: `printenv | grep -i user` or `env | grep -i user` to identify user-controlled variables.
- Examine LDAP logs (location depends on LDAP server) for suspicious filters, e.g., `grep -i '(' /var/log/ldap/ldap.log`.
- Use network capture tools like `tcpdump` or `wireshark` to filter LDAP traffic and inspect search filters.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update MISP to version 2.5.36 or later, where this LDAP injection vulnerability has been fixed.
The fix involves sanitizing the username input used in LDAP queries by applying the ldap_escape function with the LDAP_ESCAPE_FILTER flag, preventing injection of malicious LDAP filter content.
Additional immediate steps include:
- Ensure that the ApacheAuthenticate.apacheEnv configuration is set to use REMOTE_USER instead of any user-controlled server variables, especially in proxy setups.
- Review and restrict any proxy or header configurations that allow user-controlled input to be passed into Apache environment variables used for authentication.
- Apply any available patches or updates from the MISP project promptly.
- Audit LDAP queries and authentication mechanisms to confirm that input sanitization is in place.