CVE-2020-26214

Name: CVE-2020-26214
Creator: NVD / NIST
Published: 2020-11-06T18:15:12.437+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 65.93%

Last modified Jun 17, 2026

CVE-2020-26214 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. EPSS estimates a 65.93% chance of exploitation in the next 30 days.

Description

In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. A fix has been implemented in version 8.1.0 that returns HTTP 401 Unauthorized response for any authentication attempts where the password field is empty. As a workaround LDAP administrators can disallow unauthenticated bind requests by clients.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

65.93%

99.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

Affected Software

Vendor	Product	Versions
Alerta Project	Alerta	< 7.5.7
Alerta Project	Alerta	>= 8.0.0, < 8.1.0

References

https://github.com/alerta/alerta/commit/2bfa31779a4c9df2fa68fa4d0c5c909698c5ef65Patch, Third Party Advisory
https://github.com/alerta/alerta/issues/1277Third Party Advisory
https://github.com/alerta/alerta/pull/1345Third Party Advisory
https://github.com/alerta/alerta/security/advisories/GHSA-5hmm-x8q8-w5jhThird Party Advisory
https://pypi.org/project/alerta-server/8.1.0/Third Party Advisory
https://tools.ietf.org/html/rfc4513#section-5.1.2Third Party Advisory
https://github.com/alerta/alerta/commit/2bfa31779a4c9df2fa68fa4d0c5c909698c5ef65Patch, Third Party Advisory
https://github.com/alerta/alerta/issues/1277Third Party Advisory
https://github.com/alerta/alerta/pull/1345Third Party Advisory
https://github.com/alerta/alerta/security/advisories/GHSA-5hmm-x8q8-w5jhThird Party Advisory
https://pypi.org/project/alerta-server/8.1.0/Third Party Advisory
https://tools.ietf.org/html/rfc4513#section-5.1.2Third Party Advisory

Timeline

Published: Nov 6, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-26214?

How severe is CVE-2020-26214?

CVE-2020-26214 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 65.93% probability of exploitation in the next 30 days.

How do I fix CVE-2020-26214?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-26214?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST