CVE-2026-55163

Name of the Vulnerable Software and Affected Versions Lemur (affected versions not specified)

Description An authorization bypass exists in the PUT /api/1/roles/<id> endpoint. The handler incorrectly allows any user who is a member of a specific role to modify that role, as the permission check is satisfied by role membership rather than requiring administrative privileges. This allows a role member to rewrite the role's membership list by manipulating the users variable and change the role's name via the name variable. Consequently, an attacker can add unauthorized users to a role to grant them elevated access or remove legitimate users to deny their access.

Recommendations Apply the @admin permission.require(http exception=403) decorator to the Roles.put function to ensure only administrators can modify roles. As a temporary mitigation, restrict access to the PUT /api/1/roles/<id> endpoint to only trusted administrative accounts.