CVE-2026-5270 PUBLISHED

Authentication Bypass in Navigator and Blue Planet Products

Assigner: Ciena
Reserved: 31.03.2026 Published: 14.07.2026 Updated: 15.07.2026

An authentication bypass vulnerability exists in certain releases of Ciena Navigator Network Control Suite (NCS), Manage Control Plan (MCP), and Blue Planet products. The issue is caused by improper handling of HTTP request paths and headers, which allows an unauthenticated attacker to manipulate requests in a manner that bypasses authentication and associated audit logging controls.

Product Status

Vendor CIENA
Product Navigator NCS
Versions Default: unaffected
  • Version 8.1 is affected
Vendor CIENA
Product MCP
Versions Default: unaffected
  • Version <= 8.0 is affected
Vendor CIENA
Product Planner Plus OnPrem
Versions Default: unaffected
  • Version <= 4.1 is affected
Vendor Blue Planet
Product Inventory
Versions Default: unaffected
  • Version <=24.04.001 is affected
  • Version <=23.12.401 is affected
  • Version <=23.08.302 is affected
  • Version <=23.04.701 is affected
Vendor Blue Planet
Product Orchestration
Versions Default: unaffected
  • Version <=24.04.2 is affected
  • Version <=23.12.3 is affected
  • Version <=23.08.4 is affected
  • Version <=23.04.2 is affected
Vendor Blue Planet
Product Route Optimization & Analysis
Versions Default: unaffected
  • Version <=24.04.1.2-R is affected
  • Version <=23.12.1.6-R is affected
  • Version <=23.08.1.6-R is affected
  • Version <=23.04.P01-9-R is affected
Vendor Blue Planet
Product Unified Assurance & Analytics
Versions Default: unaffected
  • Version <=24.04 MR1 is affected
  • Version <=23.12 MR3 is affected
  • Version <=23.04. MR4 is affected

Solutions

Ciena recommends upgrading to the latest available remediated release. For additional details, refer to myciena.com for current software versions, fixes, and security advisories.

Remediation and Fixes:

Products

Remediated Version

BP Inventory

=24.08, 24.04.100, 23.12.500, 23.08.400, 23.04.800

BP Orchestration

=24.08, 24.04.3 MR3, 23.12.4 MR4, 23.08.5 MR5,

23.04.4 MR3

BP Route Optimization & Analysis

=24.08, 24.04.2-3-R, 23.12.2.1-R, 23.08.2.-1-R,

23.04.P02-1-R

BP Unified Assurance & Analytics

=24.08, 24.04.MR2, 23.12.MR4

Navigator NCS

= 8.2, 8.1-P02

MCP

8.0-P04, 7.2-P07

Planner Plus OnPrem

= 4.2, 4.1-P01

Credits

  • Special thanks to the team at TDC NET for their contribution. finder

References

Problem Types

  • CWE-287 Improper Authentication CWE