Lemur: LDAP Filter Injection enables post-authentication privilege escalation — CVE-2026-44304
GitHub · GitHub · CVE-2026-44304
ID
CVE-2026-44304
CVE-2026-44304
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
8.1
8.1
EPSS
0.00023
0.00023
Summary
## Description ### Overview Lemur's LDAP authentication module (`lemur/auth/ldap.py`) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator. ### Vulnerable Code **Location:** `lemur/auth/ldap.py`,…
Product
pip: lemur
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.