Back to overview

CVE-2026-5270

CRITICAL
9.8
CVSS 3.1
Description
An authentication bypass vulnerability exists in certain releases of Ciena Navigator Network Control Suite (NCS), Manage Control Plan (MCP), and Blue Planet products. The issue is caused by improper handling of HTTP request paths and headers, which allows an unauthenticated attacker to manipulate requests in a manner that bypasses authentication and associated audit logging controls.

Metadata

CVE ID
CVE-2026-5270
State
PUBLISHED
Assigner
Ciena
Reserved
2026-03-31 19:44 UTC
Published
2026-07-14 22:24 UTC
Last updated
2026-07-15 12:39 UTC
Primary CWE
CWE-287
CWE-287 Improper Authentication
Vendor / Product
CIENA / Navigator NCS
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
total
Affected products (7)
VendorProductPlatformVersions
Blue Planet Inventory <=24.04.001, <=23.12.401, <=23.08.302, <=23.04.701
Blue Planet Orchestration <=24.04.2, <=23.12.3, <=23.08.4, <=23.04.2
Blue Planet Route Optimization & Analysis <=24.04.1.2-R, <=23.12.1.6-R, <=23.08.1.6-R, <=23.04.P01-9-R
Blue Planet Unified Assurance & Analytics <=24.04 MR1, <=23.12 MR3, <=23.04. MR4
CIENA MCP <= 8.0
CIENA Navigator NCS 8.1
CIENA Planner Plus OnPrem <= 4.1
Weakness (CWE)
CWESourceDescription
CWE-287 cna CWE-287 Improper Authentication
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 adp CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Back to overview