Lemur Vulnerabilities Enable AWS IAM Compromise

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Lemur, a TLS certificate management service used in versions prior to 1.9.2. These issues include Server-Side Request Forgery (SSRF), Insecure Direct Object Reference (IDOR), and critical authorization bypass flaws. Exploitation allows low-privilege users to escalate access, compromise AWS IAM credentials, and exfiltrate sensitive PKI private keys. The business impact is severe, potentially leading to full infrastructure compromise and persistent unauthorized access to internal trust stores and cloud environments.[emaillocker id="1283"]

• CVE-2026-55166 with a CVSS score of 9.9 – This vulnerability combines ACME URL SSRF and creator-equality IDOR flaws, allowing any SSO-authenticated user to achieve AWS IAM compromise and exfiltrate TLS private keys by exploiting internal metadata services.
  • CVE-2026-48508 with a CVSS score of 8.8 – This authorization bypass occurs in StrictRolePermission and AuthorityCreatorPermission, enabling read-only users to create root Certificate Authorities and upload arbitrary certificates due to improperly initialized permission checks.

The critical nature of these vulnerabilities necessitates immediate attention due to the potential for complete cloud infrastructure compromise and persistent data exfiltration. Successful exploitation could allow attackers to establish a long-term presence within the network and undermine the integrity of the organization's entire public key infrastructure. Failure to address these risks poses a severe threat to operational security and data confidentiality

RECOMMENDATION:

• We recommend you to update Lemur to version 1.9.2.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-v2wp-frmc-5q3v
https://github.com/advisories/GHSA-qcqw-jwxc-2hqg