Skip to main content

Netflix Lemur CVE-2026-55164

MEDIUM
Plaintext Storage of a Password (CWE-256)
2026-06-25 https://github.com/Netflix/lemur GHSA-q437-g7fv-2jvv
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

Admin JWT required to trigger the write path (PR:H); network-accessible API endpoint (AV:N); no integrity or availability impact from the storage flaw itself.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 22:39 vuln.today
Analysis Generated
Jun 25, 2026 - 22:39 vuln.today

DescriptionGitHub Advisory

Summary

lemur.users.service.update() writes a user's new password as plaintext to the users.password column. The User model wires bcrypt hashing to SQLAlchemy's before_insert event but registers no equivalent listener for before_update, and service.update() does not call user.hash_password() after assigning the new value. Every password change performed through the admin-gated PUT /api/1/users/<id> endpoint persists the user's password to the database in cleartext.

Root Cause

lemur/users/models.py:

python
# line 38
class User(BaseModel):
    __tablename__ = "users"
    id = Column(Integer, primary_key=True)
    password = Column(String(128))
# plain column, no setter, no Vault descriptor
# line 74
    def hash_password(self):
        if self.password:
            self.password = bcrypt.generate_password_hash(self.password).decode("utf-8")
# line 111
listen(User, "before_insert", hash_password)
# only before_insert is wired

lemur/users/service.py:

python
# line 46
def update(user_id, username, email, active, profile_picture, roles, password=None):
    ...
    user = get(user_id)
    user.username = username
    user.email = email
    user.active = active
    user.profile_picture = profile_picture
    if password:
        user.password = password
# raw assignment
    update_roles(user, roles)
    return database.update(user)
# commits, no hashing

No before_update listener exists. User.password is a plain Column(String(128)) with no property setter that hashes on assignment. The bcrypt code path is bypassed entirely on every UPDATE statement that touches this column.

Affected Endpoints

MethodPathSource
PUT/api/1/users/<id>lemur/users/views.py:274 (gated by @admin_permission.require)

lemur/auth/views.py:323 also calls user_service.update() during SSO/OAuth login, but passes only six positional arguments. password defaults to None on that path and the if password: guard short-circuits. The bug is triggered only through the admin-only PUT handler.

Impact

When an administrator changes a user's password via PUT /api/1/users/<id>, the cleartext password is persisted to users.password. Subsequent login attempts for that user will fail (check_password calls bcrypt.check_password_hash against an unhashed value), pushing operators toward workarounds.

The more serious consequence is a defense-in-depth bypass. Bcrypt is the protection that prevents a database compromise from yielding usable credentials. With plaintext rows present, an attacker who exfiltrates the users table, a backup, a read replica, or query logs obtains directly usable login credentials - no offline cracking required. Because users reuse passwords across services, the blast radius extends beyond Lemur.

The bug specifically affects admin-driven password resets, which are the normal post-incident workflow and exactly when plaintext storage is most harmful.

Steps to Reproduce

  1. Install Lemur with default config. Create an admin user and a target user 'alice' (created via the standard flow, password will be hashed correctly on insert).
  2. Verify the initial hash:

psql lemur -c "SELECT password FROM users WHERE username='alice';"

Output: $2b$12$N9Q... (bcrypt hash, as expected)

  1. As admin, change alice's password via the API:

curl -X PUT https://lemur.local/api/1/users/<alice_id> \ -H "Authorization: Bearer <admin_jwt>" \ -H "Content-Type: application/json" \ -d '{ "username": "alice", "email": "alice@example.com", "active": true, "profile_picture": null, "roles": [{"name": "operator"}], "password": "ProofOfConcept_2026" }'

  1. Read the column again:

psql lemur -c "SELECT password FROM users WHERE username='alice';"

Output: ProofOfConcept_2026 ← plaintext, not hashed

  1. Confirm the failure mode: 'alice' can no longer log in with 'ProofOfConcept_2026'

because check_password runs bcrypt.check_password_hash() against the cleartext column.

Remediation

Register the listener for both events:

python
# lemur/users/models.py
listen(User, "before_insert", hash_password)
listen(User, "before_update", hash_password)

Alternative, equivalent fix in the service layer:

python
# lemur/users/service.py, in update()
    if password:
        user.password = password
        user.hash_password()

The listener fix is preferred because it closes the gap for any future code path that mutates user.password.

A one-time migration is recommended to detect and re-hash any rows already stored in cleartext. Bcrypt hashes begin with $2b$, $2a$, or $2y$. Any cleartext credential should be treated as compromised - rotate it, do not just re-hash it - since it has been at rest in plaintext and may exist in backups, audit logs, and replicas.

AnalysisAI

Cleartext password storage in Netflix Lemur's user-update service path allows any attacker who gains read access to the Lemur database, its backups, query logs, or read replicas to obtain directly usable plaintext credentials - no offline cracking required. The flaw affects all Lemur deployments running pip/lemur <= 1.9.1 and is triggered exclusively when an administrator resets a user password through the admin-gated PUT /api/1/users/<id> API endpoint. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain database read access (backup, replica, or SQL injection)
Delivery
Query users table for non-bcrypt password rows
Exploit
Extract plaintext credentials directly
Execution
Authenticate to Lemur or downstream services with harvested credentials
Impact
Escalate or pivot using PKI admin access

Vulnerability AssessmentAI

Exploitation Exploitation of the storage flaw itself requires an attacker to have read access to the Lemur PostgreSQL users table, a database backup, a streaming replica, or query/audit logs that captured the UPDATE statement - none of which require network access to the Lemur application tier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) accurately reflects that exploitation requires administrator-level privileges, which substantially constrains the attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised the Lemur PostgreSQL database (via SQL injection, stolen backup, replica exfiltration, or query log access) queries the users table and recovers all passwords reset by administrators since the vulnerable code was deployed - no hash-cracking tools or GPU clusters required. The advisory provides exact reproduction steps including the curl command and SQL verification query, making the exploit trivially reproducible. …
Remediation Upgrade to pip/lemur version 1.9.2, which adds the missing before_update SQLAlchemy event listener alongside the before_insert registration, closing the hashing gap for all future code paths that mutate user.password. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-55164 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy