CVE-2026-44305

Name of the Vulnerable Software and Affected Versions Lemur versions prior to 1.9.0

Description When LDAP TLS is enabled via the LDAP USE TLS variable, the LDAP authentication module in the bind() function unconditionally disables TLS certificate verification at the global ldap module level. This occurs because ldap.set option() is used instead of an instance-level call, disabling verification for the entire Python process. Consequently, any certificate—including self-signed, expired, or revoked ones—is accepted without validation. This allows a man-in-the-middle attacker positioned between Lemur and the LDAP server to intercept authentication credentials, such as usernames and plaintext passwords, and modify LDAP responses to inject arbitrary group memberships.

Recommendations Update to version 1.9.0.