PT-2026-52643 · Lemur · Lemur

Published

2026-06-25

·

Updated

2026-06-25

·

CVE-2026-48508

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Lemur (affected versions not specified)
Description An authorization bypass exists in the StrictRolePermission and AuthorityCreatorPermission classes within lemur/auth/permissions.py. When the configuration flags LEMUR STRICT ROLE ENFORCEMENT and ADMIN ONLY AUTHORITY CREATION are unset, they default to False, resulting in an empty set of requirements. Because the underlying flask principal.Permission.allows() function returns True when requirements are empty, any authenticated user, including those with the lowest-privilege read-only role, can bypass authorization checks.
This allows unauthorized users to create root Certificate Authorities, upload arbitrary certificates, create domain entries, and manage notifications, which can lead to Server-Side Request Forgery (SSRF).
API Endpoints:
  • '/api/1/authorities' (POST)
  • '/api/1/certificates/upload' (POST)
  • '/api/1/pending certificates/{id}/upload' (POST)
  • '/api/1/notifications' (POST)
  • '/api/1/notifications/{id}' (PUT/DELETE)
  • '/api/1/domains' (POST)
Vulnerable Parameters or Variables:
  • ADMIN ONLY AUTHORITY CREATION
  • LEMUR STRICT ROLE ENFORCEMENT
Function Names:
  • allows()
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Set the configuration flags ADMIN ONLY AUTHORITY CREATION and LEMUR STRICT ROLE ENFORCEMENT to True in the application configuration. Avoid setting ADMIN ONLY AUTHORITY CREATION or LEMUR STRICT ROLE ENFORCEMENT to False to prevent reintroducing the bypass.

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-48508
GHSA-QCQW-JWXC-2HQG

Affected Products

Lemur