CVE-2026-44304

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N                                    

Vulnerability Description

Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator. This vulnerability is fixed in 1.9.0.

Vulnerability Details

Published Date

May 06, 2026

Last Modified

May 14, 2026

CWE ID

CWE-90

Source

GitHub

Vendor

pip

Product

lemur

External References

https://github.com/Netflix/lemur/security/advisories/GHSA-3r34-vq8m-39gh
https://github.com/Netflix/lemur/releases/tag/v1.9.0
https://github.com/advisories/GHSA-3r34-vq8m-39gh

CVE-2026-44304

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment