Netflix Lemur CVE-2026-48508
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable API with any authenticated low-privilege role gives AV:N/AC:L/PR:L/UI:N; impact is dominated by integrity (PKI control) and confidentiality (CA keys/SSRF), with only limited availability effect (A:L).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
StrictRolePermission and AuthorityCreatorPermission in lemur/auth/permissions.py call flask_principal.Permission.__init__() with zero Needs when their config flags are unset. Both flags defaulted to False in code prior to the fix, so this was the state of any Lemur install that hadn't explicitly opted in.
Flask-Principal's Permission.allows() returns True whenever self.needs is empty. The .can() gate therefore passes for every authenticated identity, including the lowest-privilege role Lemur ships (read-only).
A user holding only read-only can create root Certificate Authorities, create and edit notifications (an SSRF sink), create domain entries, and upload arbitrary certificates. These classes are the sole authorization check on those endpoints.
Root Cause
# lemur/auth/permissions.py
class AuthorityCreatorPermission(Permission):
def __init__(self):
requires_admin = current_app.config.get("ADMIN_ONLY_AUTHORITY_CREATION", False)
if requires_admin:
super().__init__(RoleNeed("admin"))
else:
super().__init__()
# empty Need set
class StrictRolePermission(Permission):
def __init__(self):
strict_role_enforcement = current_app.config.get("LEMUR_STRICT_ROLE_ENFORCEMENT", False)
if strict_role_enforcement:
needs = [RoleNeed("admin"), RoleNeed("operator")]
super().__init__(*needs)
else:
super().__init__()
# empty Need setflask_principal.Permission.allows() (upstream, v0.4.0):
def allows(self, identity):
if self.needs and not self.needs.intersection(identity.provides):
return False
...
return TrueWhen self.needs == set(), the first guard is falsy and is skipped. excludes is also empty, so allows() returns True for any identity. AuthenticatedResource (the parent class for these views) sets method_decorators = [login_required], which checks authentication only, no role. So the permission .can() is the only authorization layer in front of these endpoints.
Affected Endpoints
Views whose only authorization check is StrictRolePermission().can() or AuthorityCreatorPermission().can():
| Method | Path | Source |
|---|---|---|
| POST | /api/1/authorities | lemur/authorities/views.py:231 |
| POST | /api/1/certificates/upload | lemur/certificates/views.py:651 |
| POST | /api/1/pending_certificates/\<id>/upload | lemur/pending_certificates/views.py:545 |
| POST | /api/1/notifications | lemur/notifications/views.py:227 |
| PUT/DEL | /api/1/notifications/\<id> | lemur/notifications/views.py:370,384 |
| POST | /api/1/domains | lemur/domains/views.py:131 |
POST /api/1/authorities is gated by AuthorityCreatorPermission().can() and StrictRolePermission().can(); both have empty Needs by default. The other rows are gated by StrictRolePermission().can() alone.
Note on scope: PUT /api/1/authorities/<id> also references StrictRolePermission, but its gate is AuthorityPermission(...).can() and StrictRolePermission().can(). AuthorityPermission is constructed with non-empty Needs (RoleNeed("admin") plus authority-scoped needs), so that endpoint is not bypassable by a read-only user and is excluded from this report.
Impact
A user holding only the read-only role can:
- Create root Certificate Authorities. CA cert and private key are persisted in Lemur's DB with the attacker as owner. Any internal trust store that pins Lemur-managed roots can now be signed against by the attacker.
- Upload arbitrary certificates via
/certificates/upload, including attacker-supplied keys with destinations such as AWS push. - Create or modify notifications, which reach an SSRF sink (see related finding F3, Slack notification webhook).
- Mark arbitrary domains as
sensitive, manipulating Lemur's domain registry and the cert-issuance approval path.
Combined with any low-privilege credential leak (phished employee, leaked SSO token) or insider access, this is a pivot from "any authenticated identity" to control of the PKI issuance plane.
Remediation
The config flag defaults for ADMIN_ONLY_AUTHORITY_CREATION and LEMUR_STRICT_ROLE_ENFORCEMENT were changed from False to True. Restrictive role enforcement is now active on all default installs without requiring explicit configuration.
class AuthorityCreatorPermission(Permission):
def __init__(self):
requires_admin = current_app.config.get("ADMIN_ONLY_AUTHORITY_CREATION", True)
...
class StrictRolePermission(Permission):
def __init__(self):
strict_role_enforcement = current_app.config.get("LEMUR_STRICT_ROLE_ENFORCEMENT", True)
...Note: The opt-out branches (empty Needs) remain in the code. Operators who explicitly set ADMIN_ONLY_AUTHORITY_CREATION = False or LEMUR_STRICT_ROLE_ENFORCEMENT = False in their config will reintroduce the bypass. These flags should be left unset or set to True.
Articles & Coverage 1
AnalysisAI
Privilege escalation via broken authorization in Netflix Lemur (versions <= 1.9.0) lets any authenticated user - including the shipped lowest-privilege read-only role - perform admin-only certificate-management actions. Because the StrictRolePermission and AuthorityCreatorPermission classes were instantiated with an empty Need set when their config flags were left at the default False, Flask-Principal's allows() returns True for every identity, removing the only role gate in front of CA creation, certificate upload, notification (SSRF sink) management, and domain registry edits. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires one authenticated Lemur account at any privilege level, including the default-shipped `read-only` role (CVSS PR:L) - no admin or operator role is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent toward elevated priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains any low-privilege Lemur credential - for example a phished employee account or a leaked SSO token mapped to the default `read-only` role - sends an authenticated POST to /api/1/authorities and creates a root Certificate Authority owned by the attacker, whose cert and private key are persisted in Lemur's database. Because internal trust stores pin Lemur-managed roots, the attacker can now sign certificates trusted across the environment, and can additionally upload arbitrary certificates and create notifications that reach an SSRF sink. … |
| Remediation | Upgrade to Lemur 1.9.1, which changes the defaults of `ADMIN_ONLY_AUTHORITY_CREATION` and `LEMUR_STRICT_ROLE_ENFORCEMENT` from `False` to `True` so restrictive role enforcement is active on all default installs (see GHSA-qcqw-jwxc-2hqg). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Lemur deployments (versions ≤1.9.0); immediately audit certificate operations and issuance logs for unauthorized activity; restrict administrative access to the minimal trusted group and enforce multi-factor authentication. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary
A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Rated critical severity (C
## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerabi
Keras Model.load_model can execute arbitrary code even with safe_mode=True by manipulating the config.json inside a .ker
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-qcqw-jwxc-2hqg