Description
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36.
Published: 2026-04-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: LDAP injection that may bypass authentication or perform unauthorized LDAP queries
Action: Immediate Patch
AI Analysis

Impact

A false LDAP search filter can be constructed when a user-controlled Apache environment variable is used to supply the username. The resulting injection could bypass authentication checks or retrieve sensitive LDAP information. The weakness is a classic LDAP injection, identified as CWE‑90, resulting in potential loss of confidentiality or integrity for data stored in the directory.

Affected Systems

The vulnerability affects the MISP threat intelligence platform. Versions prior to 2.5.36 of MISP are impacted. The issue arises in the ApacheAuthenticate component when ApacheAuthenticate.apacheEnv is configured to use a user‑controlled environment variable instead of the default REMOTE_USER used in typical proxy setups.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as high. Although an EPSS score is not available, the attack vector is clearly external: an attacker who can control the specified Apache variable may influence the LDAP query. Because the vulnerability is not listed in the CISA KEV catalog, no public exploit is known, but the high severity and external nature warrant immediate attention.

Generated by OpenCVE AI on April 9, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MISP to version 2.5.36 or later.
  • Configure ApacheAuthenticate.apacheEnv to use the immutable REMOTE_USER variable and avoid user-controllable variables.
  • Monitor HTTP environment variables for unexpected values and audit LDAP query logs for anomalies.

Generated by OpenCVE AI on April 9, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Fri, 10 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Misp
Misp misp
Vendors & Products Misp
Misp misp

Thu, 09 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36.
Title LDAP injection in MISP ApacheAuthenticate when using a user-controlled Apache environment variable
Weaknesses CWE-90
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H'}

Subscriptions

Misp Misp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T14:07:02.751Z

Reserved: 2026-04-07T22:40:33.822Z

Link: CVE-2026-39962

cve-icon Vulnrichment

Updated: 2026-04-10T14:06:59.773Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T17:16:30.600

Modified: 2026-04-23T15:09:47.333

Link: CVE-2026-39962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:08Z

Weaknesses