CVE-2026-55164

Name of the Vulnerable Software and Affected Versions Lemur (affected versions not specified)

Description Passwords are stored in plaintext in the users.password column when a user's password is updated. This occurs because the User model only triggers password hashing during the before insert event and lacks a corresponding listener for the before update event. Additionally, the update() function in the service layer does not call the hash password() function after assigning a new password value.

This issue is triggered via the admin-gated API endpoint PUT /api/1/users/<id> when the password variable is provided. Consequently, any password change performed by an administrator results in the cleartext password being persisted to the database. This bypasses the protection provided by bcrypt, meaning that if the database, backups, or logs are compromised, attackers can obtain usable credentials without needing to perform offline cracking.

Recommendations Register the hash password() function as a listener for the before update event in the User model to ensure all password updates are hashed. As an alternative, call the hash password() function within the update() service function immediately after the password variable is assigned. Rotate all credentials that were stored in plaintext, as they should be considered compromised.