Description
Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator. This vulnerability is fixed in 1.9.0.
Published: 2026-05-12
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated LDAP user can inject LDAP filter metacharacters through the username field used by Lemur’s authentication module. The unsanitized interpolation of the username into search filters allows manipulation of group membership queries, enabling the attacker to gain administrator privileges within the Lemur application. This flaw provides an immediate elevation of rights after the attacker has already authenticated, affecting confidentiality and integrity of the certificate management system.

Affected Systems

Netflix Lemur, versions prior to 1.9.0. Any deployment of Lemur that has not applied the 1.9.0 release is vulnerable. The issue originates from the lemur/auth/ldap.py module, where LDAP search filters are constructed with user‑supplied input.

Risk and Exploitability

The CVSS score of 8.1 reflects high severity. Because the vulnerability requires a valid LDAP credential, the attack vector is post‑authentication; the attacker must already have network access to the LDAP server and valid credentials. EPSS is not available, and the flaw is not listed in the CISA KEV catalog, indicating no confirmed public exploits yet. Nevertheless, the ability to elevate privileges after authentication means that a malicious user who can log in to LDAP can immediately assign themselves administrator rights to Lemur, allowing full control over TLS certificate creation and revocation.

Generated by OpenCVE AI on May 12, 2026 at 23:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lemur to version 1.9.0 or newer, which sanitizes LDAP filter input and removes the injection vector.
  • During the transition, limit LDAP authentication to a trusted set of users and audit group membership assignments to detect unauthorized admin grants.
  • If an upgrade cannot be performed immediately, disable LDAP authentication or switch to an alternate authentication mechanism that does not construct unsanitized LDAP filters.

Generated by OpenCVE AI on May 12, 2026 at 23:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3r34-vq8m-39gh Lemur: LDAP Filter Injection enables post-authentication privilege escalation
History

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Netflix
Netflix lemur
Vendors & Products Netflix
Netflix lemur

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator. This vulnerability is fixed in 1.9.0.
Title Lemur: LDAP Filter Injection enables post-authentication privilege escalation
Weaknesses CWE-90
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Netflix Lemur
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:27:28.118Z

Reserved: 2026-05-05T17:39:31.113Z

Link: CVE-2026-44304

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:37.140

Modified: 2026-05-12T22:16:37.140

Link: CVE-2026-44304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:00:16Z

Weaknesses