Attack Chain

1. Attacker identifies a Lemur instance with LDAP authentication enabled.
2. Attacker obtains valid LDAP credentials for a low-privilege user.
3. The attacker crafts a malicious username containing LDAP filter metacharacters, such as )(memberOf=CN=LemurAdmins,DC=corp,DC=example,DC=com.
4. The attacker sends a POST /auth/login request with the crafted username and valid password.
5. Lemur’s ldap.py module constructs an LDAP filter using the unsanitized username, resulting in a modified query.
6. The LDAP server processes the malicious filter, potentially returning unintended group memberships.
7. Lemur assigns the user the admin role based on the manipulated LDAP query results.
8. The attacker gains unauthorized access to sensitive resources, including certificates, private keys, and CA configurations, and can issue certificates under any authority.

Impact

Successful exploitation of this vulnerability allows an attacker to gain administrative privileges within Lemur, potentially compromising all managed certificates and associated private keys. The attacker can then issue certificates under any authority, leading to a complete compromise of trust within the affected organization. While the exact number of affected Lemur instances is unknown, this vulnerability poses a significant risk to organizations relying on Lemur for certificate management, particularly those in highly regulated sectors.

Recommendation

• Upgrade Lemur to version 1.9.0 or later to patch the LDAP injection vulnerability (CVE-2026-44304).
• Deploy the provided Sigma rule to detect suspicious process creations with arguments indicative of exploitation attempts.
• Enable webserver logging to monitor for unusual characters in usernames submitted via POST requests to /auth/login to proactively identify potential exploitation attempts.