Description
Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned between Lemur and the LDAP server to intercept all authentication credentials. This vulnerability is fixed in 1.9.0.
Published: 2026-05-12
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Lemur, a TLS certificate management tool, had a flaw before version 1.9.0. When LDAP over TLS was activated, the LDAP authentication module disabled certificate verification at the global level, meaning the connection to the LDAP server was effectively untrusted. This allows an attacker who can position themselves between Lemur and the LDAP server to perform a man‑in‑the‑middle attack and capture all authentication credentials, potentially compromising user accounts and access control.

Affected Systems

Netflix Lemur deployments using LDAP authentication with TLS and running any version prior to 1.9.0 are affected. The issue exists in all releases that employ the default LDAP module before the 1.9.0 fix.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. EPSS is not available, but the flaw permits credential theft if the attacker can observe traffic between Lemur and its LDAP server. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires control over the network path to the LDAP server and enabling of LDAP TLS in Lemur. Upgrading removes the problem.

Generated by OpenCVE AI on May 12, 2026 at 23:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lemur to version 1.9.0 or later, where TLS certificate verification is restored.
  • Verify that LDAP_USE_TLS remains set to True and that the global LDAP module verification is enabled after the upgrade.
  • Ensure the LDAP server presents a trusted certificate chain, configuring any necessary custom CA certificates, and confirm that Lemur can connect without ignoring verification.

Generated by OpenCVE AI on May 12, 2026 at 23:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vr7c-r5gj-j3w5 Lemur: LDAP Authentication Globally Disables TLS Certificate Verification When LDAP_USE_TLS Is Enabled
History

Wed, 13 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Netflix
Netflix lemur
Vendors & Products Netflix
Netflix lemur

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned between Lemur and the LDAP server to intercept all authentication credentials. This vulnerability is fixed in 1.9.0.
Title Lemur: LDAP TLS certificate verification globally disabled enables credential interception
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Netflix Lemur
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T21:28:06.362Z

Reserved: 2026-05-05T17:39:31.113Z

Link: CVE-2026-44305

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:37.280

Modified: 2026-05-12T22:16:37.280

Link: CVE-2026-44305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:15:27Z

Weaknesses