CVE-2026-39962

Critical

Published: 09 April 2026

Published

09 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0011 29.0th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled…

server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of untrusted inputs like username values used in LDAP queries to prevent injection attacks that manipulate search filters.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of identified flaws, such as patching MISP to version 2.5.36 to fix the LDAP injection vulnerability.

CM-6 Configuration Settings partial match

prevent

Ensures secure configuration settings by prohibiting use of user-controlled server variables in ApacheAuthenticate.apacheEnv, reducing exploit conditions in proxy setups.

Security SummaryAI

CVE-2026-39962 is an LDAP injection vulnerability in MISP, an open source threat intelligence and sharing platform. It affects versions prior to 2.5.36, specifically in the ApacheAuthenticate.php component, where an unsanitized username value is used in an LDAP query. The issue arises when ApacheAuthenticate.apacheEnv is configured to rely on a user-controlled server variable rather than REMOTE_USER, such as in certain proxy setups, leading to improper neutralization of special elements (CWE-90). The vulnerability has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

An unauthenticated attacker with network access can exploit this vulnerability if they control the relevant server variable, requiring some user interaction. By injecting malicious content into the username value, they can manipulate the LDAP search filter, potentially bypassing authentication constraints or executing unauthorized LDAP queries against the directory.

Mitigation is available in MISP version 2.5.36, which includes fixes via commits such as 380ee4136a7d9ce2fe63fce06d517839f30aba10 and d7d671ea8f5822e91207dcad2003c35c30092a32. Security practitioners should upgrade to this release and review configurations to ensure ApacheAuthenticate.apacheEnv does not use user-controlled variables. Additional details are provided in the MISP security advisory GHSA-mc53-48w8-9g63 and the v2.5.36 release notes.

Details

CWE(s): CWE-90

Affected Products

misp

≤ 2.5.36

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

LDAP injection vulnerability in public-facing web application (MISP) enables unauthenticated exploitation for authentication bypass or unauthorized LDAP queries, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/MISP/MISP/commit/380ee4136a7d9ce2fe63fce06d517839f30aba10
Patch · security-advisories@github.com
https://github.com/MISP/MISP/commit/d7d671ea8f5822e91207dcad2003c35c30092a32
Patch · security-advisories@github.com
https://github.com/MISP/MISP/releases/tag/v2.5.36
Product, Release Notes · security-advisories@github.com
https://github.com/MISP/MISP/security/advisories/GHSA-mc53-48w8-9g63
Vendor Advisory · security-advisories@github.com