CVE-2026-44304HIGH 8.1EPSS p7.6%

CVE-2026-44304CVE-2026-44304

Description

Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator. This vulnerability is fixed in 1.9.0.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.18% probability of exploitation · percentile 7.6% · 2026-06-19T12:03:05Z
Published2026-05-12
Last modified2026-05-14

Underlying weaknesses· 1

CWE-90

References

  1. https://github.com/Netflix/lemur/security/advisories/GHSA-3r34-vq8m-39gh
  2. https://github.com/Netflix/lemur/security/advisories/GHSA-3r34-vq8m-39gh

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')cwe-900%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25560
CVE
CVE-2026-40193
CVE
CVE-2026-35563
CVE
CVE-2026-40459
CVE
CVE-2026-39962
CVE
CVE-2026-29202
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.