EXECUTIVE SUMMARY:
CVE-2026-44304 with a CVSS score of 8.1 is a high-severity vulnerability in the Lemur package, specifically affecting versions prior to 1.9.0. Lemur's LDAP authentication module constructs LDAP search filters using unsanitized user input via Python string interpolation, allowing an authenticated LDAP user to inject LDAP filter metacharacters through the username field. This enables the user to manipulate group membership queries and escalate their privileges to administrator. An attacker can exploit this vulnerability by injecting LDAP filter syntax into the username field during login, manipulating the group membership query to return arbitrary groups, and gaining unauthorized access to all certificates, private keys, and CA configurations. The attacker requires valid LDAP credentials and must succeed the `simple_bind_s()` call before reaching the injectable filter, making this a post-authentication privilege escalation. If exploited, the attacker gains the capability to assign themselves the `admin` role or any other privileged role in Lemur, resulting in significant business impact and consequences, including unauthorized access to sensitive data and potential disruption of critical operations.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44304 with a CVSS score of 8.1 is a high-severity vulnerability in the Lemur package, specifically affecting versions prior to 1.9.0. Lemur's LDAP authentication module constructs LDAP search filters using unsanitized user input via Python string interpolation, allowing an authenticated LDAP user to inject LDAP filter metacharacters through the username field. This enables the user to manipulate group membership queries and escalate their privileges to administrator. An attacker can exploit this vulnerability by injecting LDAP filter syntax into the username field during login, manipulating the group membership query to return arbitrary groups, and gaining unauthorized access to all certificates, private keys, and CA configurations. The attacker requires valid LDAP credentials and must succeed the `simple_bind_s()` call before reaching the injectable filter, making this a post-authentication privilege escalation. If exploited, the attacker gains the capability to assign themselves the `admin` role or any other privileged role in Lemur, resulting in significant business impact and consequences, including unauthorized access to sensitive data and potential disruption of critical operations.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update lemur to version 1.9.0.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-3r34-vq8m-39gh