SFTP Server Authentication Weakness
Summary
| CVE | CVE-2026-5268 |
|---|---|
| State | PUBLISHED |
| Assigner | Ciena |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-06 16:16:38 UTC |
| Updated | 2026-07-08 21:16:54 UTC |
| Description | An authentication bypass vulnerability exists in the default SFTP server component utilized across the Ciena products listed. This vulnerability allows a remote, unauthenticated attacker to bypass security controls and gain unauthorized access to the underlying filesystem. Successful exploitation could allow an attacker to read or modify system files. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS: 0.004200000 probability, percentile 0.339300000 (date 2026-07-11)
Problem Types: CWE-288 | CWE-288 CWE-288 Authentication bypass using an alternate path or channel
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | CIENA | 6500 S-Series | affected R16.96 and prior | Not specified |
| CNA | CIENA | 6500 T-Series | affected R16.1 and prior | Not specified |
| CNA | CIENA | PTS | affected R16.1 and prior | Not specified |
| CNA | CIENA | CPL | affected R12.63 and prior | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.ciena.com/product-security | 7bd90cf1-1651-495e-9ae8-9415fb3c9feb | www.ciena.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
Solutions
CNA: Ciena recommends upgrading to the latest available remediated release. For additional details, refer to myciena.com for current software versions, fixes, and security advisories.
There are currently no legacy QID mappings associated with this CVE.