CVE-2026-44304

Published: Mag 13, 2026 Last Modified: Mag 13, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,1

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator. This vulnerability is fixed in 1.9.0.

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability

Potential Impacts:

Execute Unauthorized Code Or Commands Read Application Data Modify Application Data

Applicable Platforms

Technologies: Database Server

View CWE Details

https://github.com/Netflix/lemur/security/advisories/GHSA-3…

https://github.com/Netflix/lemur/security/advisories/GHSA-3r34-vq8m-39gh

CVE-2026-44304

Description

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter