Authentication Bypass in Navigator and Blue Planet Products
Summary
| CVE | CVE-2026-5270 |
|---|---|
| State | PUBLISHED |
| Assigner | Ciena |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-14 23:17:34 UTC |
| Updated | 2026-07-15 20:08:02 UTC |
| Description | An authentication bypass vulnerability exists in certain releases of Ciena Navigator Network Control Suite (NCS), Manage Control Plan (MCP), and Blue Planet products. The issue is caused by improper handling of HTTP request paths and headers, which allows an unauthenticated attacker to manipulate requests in a manner that bypasses authentication and associated audit logging controls. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.002170000 probability, percentile 0.120580000 (date 2026-07-15)
Problem Types: CWE-287 | CWE-287 CWE-287 Improper Authentication
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | CIENA | Navigator NCS | affected 8.1 | Not specified |
| CNA | CIENA | MCP | affected <= 8.0 | Not specified |
| CNA | CIENA | Planner Plus OnPrem | affected <= 4.1 | Not specified |
| CNA | Blue Planet | Inventory | affected <=24.04.001 | Not specified |
| CNA | Blue Planet | Inventory | affected <=23.12.401 | Not specified |
| CNA | Blue Planet | Inventory | affected <=23.08.302 | Not specified |
| CNA | Blue Planet | Inventory | affected <=23.04.701 | Not specified |
| CNA | Blue Planet | Orchestration | affected <=24.04.2 | Not specified |
| CNA | Blue Planet | Orchestration | affected <=23.12.3 | Not specified |
| CNA | Blue Planet | Orchestration | affected <=23.08.4 | Not specified |
| CNA | Blue Planet | Orchestration | affected <=23.04.2 | Not specified |
| CNA | Blue Planet | Route Optimization Analysis | affected <=24.04.1.2-R | Not specified |
| CNA | Blue Planet | Route Optimization Analysis | affected <=23.12.1.6-R | Not specified |
| CNA | Blue Planet | Route Optimization Analysis | affected <=23.08.1.6-R | Not specified |
| CNA | Blue Planet | Route Optimization Analysis | affected <=23.04.P01-9-R | Not specified |
| CNA | Blue Planet | Unified Assurance Analytics | affected <=24.04 MR1 | Not specified |
| CNA | Blue Planet | Unified Assurance Analytics | affected <=23.12 MR3 | Not specified |
| CNA | Blue Planet | Unified Assurance Analytics | affected <=23.04. MR4 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.ciena.com/product-security | 7bd90cf1-1651-495e-9ae8-9415fb3c9feb | www.ciena.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Special thanks to the team at TDC NET for their contribution. (en)
Additional Advisory Data
Solutions
CNA: Ciena recommends upgrading to the latest available remediated release. For additional details, refer to myciena.com for current software versions, fixes, and security advisories. Remediation and Fixes: Products Remediated Version BP Inventory >=24.08, 24.04.100, 23.12.500, 23.08.400, 23.04.800 BP Orchestration >=24.08, 24.04.3 MR3, 23.12.4 MR4, 23.08.5 MR5, 23.04.4 MR3 BP Route Optimization & Analysis >=24.08, 24.04.2-3-R, 23.12.2.1-R, 23.08.2.-1-R, 23.04.P02-1-R BP Unified Assurance & Analytics >=24.08, 24.04.MR2, 23.12.MR4 Navigator NCS >= 8.2, 8.1-P02 MCP 8.0-P04, 7.2-P07 Planner Plus OnPrem >= 4.2, 4.1-P01