PT-2026-52643 · Lemur · Lemur
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-48508
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Lemur (affected versions not specified)
Description
An authorization bypass exists in the
StrictRolePermission and AuthorityCreatorPermission classes within lemur/auth/permissions.py. When the configuration flags LEMUR STRICT ROLE ENFORCEMENT and ADMIN ONLY AUTHORITY CREATION are unset, they default to False, resulting in an empty set of requirements. Because the underlying flask principal.Permission.allows() function returns True when requirements are empty, any authenticated user, including those with the lowest-privilege read-only role, can bypass authorization checks.This allows unauthorized users to create root Certificate Authorities, upload arbitrary certificates, create domain entries, and manage notifications, which can lead to Server-Side Request Forgery (SSRF).
API Endpoints:
- '/api/1/authorities' (POST)
- '/api/1/certificates/upload' (POST)
- '/api/1/pending certificates/{id}/upload' (POST)
- '/api/1/notifications' (POST)
- '/api/1/notifications/{id}' (PUT/DELETE)
- '/api/1/domains' (POST)
Vulnerable Parameters or Variables:
ADMIN ONLY AUTHORITY CREATIONLEMUR STRICT ROLE ENFORCEMENT
Function Names:
allows()
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Set the configuration flags
ADMIN ONLY AUTHORITY CREATION and LEMUR STRICT ROLE ENFORCEMENT to True in the application configuration.
Avoid setting ADMIN ONLY AUTHORITY CREATION or LEMUR STRICT ROLE ENFORCEMENT to False to prevent reintroducing the bypass.Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lemur