CVE-2026-44304: Lemur LDAP Auth Flaw Allows Privilege Escalation
The National Vulnerability Database has disclosed CVE-2026-44304, a critical vulnerability in Lemur’s LDAP authentication module (lemur/auth/ldap.py). This flaw, present in versions prior to 1.9.0, allows an authenticated LDAP user to inject LDAP filter metacharacters through the username field. This unsanitized input can manipulate group membership queries.
Attackers can leverage this vulnerability to escalate their privileges to administrator. The National Vulnerability Database assigns a CVSSv3.1 score of 8.1 (HIGH), citing a network attack vector and low privileges required for exploitation. The critical impact on confidentiality and integrity stems from the ability to gain full administrative control over Lemur.
This is a classic CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query) scenario. Defenders using Lemur for TLS certificate management must prioritize patching to version 1.9.0 immediately. Without proper input sanitization, any authenticated LDAP user becomes a potential administrator, fundamentally undermining the security posture of the certificate management system.
What This Means For You
- If your organization uses Lemur for TLS certificate management, you need to verify your version immediately. If it's prior to 1.9.0, you are exposed to privilege escalation. Patch to version 1.9.0 without delay to mitigate CVE-2026-44304 and prevent any authenticated LDAP user from becoming an administrator.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44304: Lemur LDAP Authentication Privilege Escalation
title: CVE-2026-44304: Lemur LDAP Authentication Privilege Escalation
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
This rule detects potential privilege escalation attempts in Lemur by identifying LDAP authentication attempts where the username field contains LDAP filter metacharacters. An unpatched Lemur instance (prior to 1.9.0) is vulnerable to LDAP injection via the username field, allowing authenticated users to manipulate group membership queries and escalate privileges. This detection specifically looks for common LDAP filter characters within the username during authentication.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44304/
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: authentication
detection:
selection:
User|contains:
- '*)*'
- '*(*'
- '*&'
- '*|'
- '*='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44304 | Privilege Escalation | Lemur versions prior to 1.9.0 |
| CVE-2026-44304 | Code Injection | Lemur's LDAP authentication module (lemur/auth/ldap.py) unsanitized user input in username field |
| CVE-2026-44304 | Auth Bypass | LDAP filter metacharacter injection to manipulate group membership queries |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108
CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.
MonsterInsights WordPress Plugin Exposes Google OAuth Tokens
CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...
ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion
CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...