Skip to main content

Netflix Lemur CVE-2026-48508

HIGH
Incorrect Authorization (CWE-863)
2026-06-25 https://github.com/Netflix/lemur GHSA-qcqw-jwxc-2hqg
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.3 HIGH

Network-reachable API with any authenticated low-privilege role gives AV:N/AC:L/PR:L/UI:N; impact is dominated by integrity (PKI control) and confidentiality (CA keys/SSRF), with only limited availability effect (A:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 19:31 vuln.today
Analysis Generated
Jun 25, 2026 - 19:31 vuln.today

DescriptionGitHub Advisory

Summary

StrictRolePermission and AuthorityCreatorPermission in lemur/auth/permissions.py call flask_principal.Permission.__init__() with zero Needs when their config flags are unset. Both flags defaulted to False in code prior to the fix, so this was the state of any Lemur install that hadn't explicitly opted in.

Flask-Principal's Permission.allows() returns True whenever self.needs is empty. The .can() gate therefore passes for every authenticated identity, including the lowest-privilege role Lemur ships (read-only).

A user holding only read-only can create root Certificate Authorities, create and edit notifications (an SSRF sink), create domain entries, and upload arbitrary certificates. These classes are the sole authorization check on those endpoints.

Root Cause

python
# lemur/auth/permissions.py
class AuthorityCreatorPermission(Permission):
    def __init__(self):
        requires_admin = current_app.config.get("ADMIN_ONLY_AUTHORITY_CREATION", False)
        if requires_admin:
            super().__init__(RoleNeed("admin"))
        else:
            super().__init__()
# empty Need set

class StrictRolePermission(Permission):
    def __init__(self):
        strict_role_enforcement = current_app.config.get("LEMUR_STRICT_ROLE_ENFORCEMENT", False)
        if strict_role_enforcement:
            needs = [RoleNeed("admin"), RoleNeed("operator")]
            super().__init__(*needs)
        else:
            super().__init__()
# empty Need set

flask_principal.Permission.allows() (upstream, v0.4.0):

python
def allows(self, identity):
    if self.needs and not self.needs.intersection(identity.provides):
        return False
    ...
    return True

When self.needs == set(), the first guard is falsy and is skipped. excludes is also empty, so allows() returns True for any identity. AuthenticatedResource (the parent class for these views) sets method_decorators = [login_required], which checks authentication only, no role. So the permission .can() is the only authorization layer in front of these endpoints.

Affected Endpoints

Views whose only authorization check is StrictRolePermission().can() or AuthorityCreatorPermission().can():

MethodPathSource
POST/api/1/authoritieslemur/authorities/views.py:231
POST/api/1/certificates/uploadlemur/certificates/views.py:651
POST/api/1/pending_certificates/\<id>/uploadlemur/pending_certificates/views.py:545
POST/api/1/notificationslemur/notifications/views.py:227
PUT/DEL/api/1/notifications/\<id>lemur/notifications/views.py:370,384
POST/api/1/domainslemur/domains/views.py:131

POST /api/1/authorities is gated by AuthorityCreatorPermission().can() and StrictRolePermission().can(); both have empty Needs by default. The other rows are gated by StrictRolePermission().can() alone.

Note on scope: PUT /api/1/authorities/<id> also references StrictRolePermission, but its gate is AuthorityPermission(...).can() and StrictRolePermission().can(). AuthorityPermission is constructed with non-empty Needs (RoleNeed("admin") plus authority-scoped needs), so that endpoint is not bypassable by a read-only user and is excluded from this report.

Impact

A user holding only the read-only role can:

  1. Create root Certificate Authorities. CA cert and private key are persisted in Lemur's DB with the attacker as owner. Any internal trust store that pins Lemur-managed roots can now be signed against by the attacker.
  2. Upload arbitrary certificates via /certificates/upload, including attacker-supplied keys with destinations such as AWS push.
  3. Create or modify notifications, which reach an SSRF sink (see related finding F3, Slack notification webhook).
  4. Mark arbitrary domains as sensitive, manipulating Lemur's domain registry and the cert-issuance approval path.

Combined with any low-privilege credential leak (phished employee, leaked SSO token) or insider access, this is a pivot from "any authenticated identity" to control of the PKI issuance plane.

Remediation

The config flag defaults for ADMIN_ONLY_AUTHORITY_CREATION and LEMUR_STRICT_ROLE_ENFORCEMENT were changed from False to True. Restrictive role enforcement is now active on all default installs without requiring explicit configuration.

python
class AuthorityCreatorPermission(Permission):
    def __init__(self):
        requires_admin = current_app.config.get("ADMIN_ONLY_AUTHORITY_CREATION", True)
        ...

class StrictRolePermission(Permission):
    def __init__(self):
        strict_role_enforcement = current_app.config.get("LEMUR_STRICT_ROLE_ENFORCEMENT", True)
        ...

Note: The opt-out branches (empty Needs) remain in the code. Operators who explicitly set ADMIN_ONLY_AUTHORITY_CREATION = False or LEMUR_STRICT_ROLE_ENFORCEMENT = False in their config will reintroduce the bypass. These flags should be left unset or set to True.

AnalysisAI

Privilege escalation via broken authorization in Netflix Lemur (versions <= 1.9.0) lets any authenticated user - including the shipped lowest-privilege read-only role - perform admin-only certificate-management actions. Because the StrictRolePermission and AuthorityCreatorPermission classes were instantiated with an empty Need set when their config flags were left at the default False, Flask-Principal's allows() returns True for every identity, removing the only role gate in front of CA creation, certificate upload, notification (SSRF sink) management, and domain registry edits. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Lemur credential
Delivery
Authenticate to Lemur API
Exploit
POST /api/1/authorities with read-only role
Execution
Empty-Need permission grants access
Persist
Create attacker-owned root CA
Impact
Sign rogue certs trusted internally

Vulnerability AssessmentAI

Exploitation Exploitation requires one authenticated Lemur account at any privilege level, including the default-shipped `read-only` role (CVSS PR:L) - no admin or operator role is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent toward elevated priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains any low-privilege Lemur credential - for example a phished employee account or a leaked SSO token mapped to the default `read-only` role - sends an authenticated POST to /api/1/authorities and creates a root Certificate Authority owned by the attacker, whose cert and private key are persisted in Lemur's database. Because internal trust stores pin Lemur-managed roots, the attacker can now sign certificates trusted across the environment, and can additionally upload arbitrary certificates and create notifications that reach an SSRF sink. …
Remediation Upgrade to Lemur 1.9.1, which changes the defaults of `ADMIN_ONLY_AUTHORITY_CREATION` and `LEMUR_STRICT_ROLE_ENFORCEMENT` from `False` to `True` so restrictive role enforcement is active on all default installs (see GHSA-qcqw-jwxc-2hqg). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Lemur deployments (versions ≤1.9.0); immediately audit certificate operations and issuance logs for unauthorized activity; restrict administrative access to the minimal trusted group and enforce multi-factor authentication. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-27966 CRITICAL POC
9.8 Feb 26

Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary

CVE-2025-0868 CRITICAL POC
9.3 Feb 20

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Rated critical severity (C

CVE-2026-41264 CRITICAL POC
9.2 Apr 21

## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerabi

CVE-2025-1550 CRITICAL POC
9.8 Mar 11

Keras Model.load_model can execute arbitrary code even with safe_mode=True by manipulating the config.json inside a .ker

Share

CVE-2026-48508 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy