Search

Find a vulnerability

Search criteria

    Related vulnerabilities

    GHSA-QCQW-JWXC-2HQG

    Vulnerability from github – Published: 2026-06-25 18:48 – Updated: 2026-06-25 18:48
    VLAI
    Summary
    Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission
    Details

    Summary

    StrictRolePermission and AuthorityCreatorPermission in lemur/auth/permissions.py call flask_principal.Permission.__init__() with zero Needs when their config flags are unset. Both flags defaulted to False in code prior to the fix, so this was the state of any Lemur install that hadn't explicitly opted in.

    Flask-Principal's Permission.allows() returns True whenever self.needs is empty. The .can() gate therefore passes for every authenticated identity, including the lowest-privilege role Lemur ships (read-only).

    A user holding only read-only can create root Certificate Authorities, create and edit notifications (an SSRF sink), create domain entries, and upload arbitrary certificates. These classes are the sole authorization check on those endpoints.

    Root Cause

    # lemur/auth/permissions.py
    class AuthorityCreatorPermission(Permission):
        def __init__(self):
            requires_admin = current_app.config.get("ADMIN_ONLY_AUTHORITY_CREATION", False)
            if requires_admin:
                super().__init__(RoleNeed("admin"))
            else:
                super().__init__()              # empty Need set
    
    class StrictRolePermission(Permission):
        def __init__(self):
            strict_role_enforcement = current_app.config.get("LEMUR_STRICT_ROLE_ENFORCEMENT", False)
            if strict_role_enforcement:
                needs = [RoleNeed("admin"), RoleNeed("operator")]
                super().__init__(*needs)
            else:
                super().__init__()              # empty Need set
    

    flask_principal.Permission.allows() (upstream, v0.4.0):

    def allows(self, identity):
        if self.needs and not self.needs.intersection(identity.provides):
            return False
        ...
        return True
    

    When self.needs == set(), the first guard is falsy and is skipped. excludes is also empty, so allows() returns True for any identity. AuthenticatedResource (the parent class for these views) sets method_decorators = [login_required], which checks authentication only, no role. So the permission .can() is the only authorization layer in front of these endpoints.

    Affected Endpoints

    Views whose only authorization check is StrictRolePermission().can() or AuthorityCreatorPermission().can():

    Method Path Source
    POST /api/1/authorities lemur/authorities/views.py:231
    POST /api/1/certificates/upload lemur/certificates/views.py:651
    POST /api/1/pending_certificates/\/upload lemur/pending_certificates/views.py:545
    POST /api/1/notifications lemur/notifications/views.py:227
    PUT/DEL /api/1/notifications/\ lemur/notifications/views.py:370,384
    POST /api/1/domains lemur/domains/views.py:131

    POST /api/1/authorities is gated by AuthorityCreatorPermission().can() and StrictRolePermission().can(); both have empty Needs by default. The other rows are gated by StrictRolePermission().can() alone.

    Note on scope: PUT /api/1/authorities/<id> also references StrictRolePermission, but its gate is AuthorityPermission(...).can() and StrictRolePermission().can(). AuthorityPermission is constructed with non-empty Needs (RoleNeed("admin") plus authority-scoped needs), so that endpoint is not bypassable by a read-only user and is excluded from this report.

    Impact

    A user holding only the read-only role can:

    1. Create root Certificate Authorities. CA cert and private key are persisted in Lemur's DB with the attacker as owner. Any internal trust store that pins Lemur-managed roots can now be signed against by the attacker.
    2. Upload arbitrary certificates via /certificates/upload, including attacker-supplied keys with destinations such as AWS push.
    3. Create or modify notifications, which reach an SSRF sink (see related finding F3, Slack notification webhook).
    4. Mark arbitrary domains as sensitive, manipulating Lemur's domain registry and the cert-issuance approval path.

    Combined with any low-privilege credential leak (phished employee, leaked SSO token) or insider access, this is a pivot from "any authenticated identity" to control of the PKI issuance plane.

    Remediation

    The config flag defaults for ADMIN_ONLY_AUTHORITY_CREATION and LEMUR_STRICT_ROLE_ENFORCEMENT were changed from False to True. Restrictive role enforcement is now active on all default installs without requiring explicit configuration.

    class AuthorityCreatorPermission(Permission):
        def __init__(self):
            requires_admin = current_app.config.get("ADMIN_ONLY_AUTHORITY_CREATION", True)
            ...
    
    class StrictRolePermission(Permission):
        def __init__(self):
            strict_role_enforcement = current_app.config.get("LEMUR_STRICT_ROLE_ENFORCEMENT", True)
            ...
    

    Note: The opt-out branches (empty Needs) remain in the code. Operators who explicitly set ADMIN_ONLY_AUTHORITY_CREATION = False or LEMUR_STRICT_ROLE_ENFORCEMENT = False in their config will reintroduce the bypass. These flags should be left unset or set to True.

    Show details on source website

    {
      "affected": [
        {
          "database_specific": {
            "last_known_affected_version_range": "\u003c= 1.9.0"
          },
          "package": {
            "ecosystem": "PyPI",
            "name": "lemur"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "1.9.1"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ]
        }
      ],
      "aliases": [
        "CVE-2026-48508"
      ],
      "database_specific": {
        "cwe_ids": [
          "CWE-863"
        ],
        "github_reviewed": true,
        "github_reviewed_at": "2026-06-25T18:48:39Z",
        "nvd_published_at": null,
        "severity": "HIGH"
      },
      "details": "## Summary\n\n`StrictRolePermission` and `AuthorityCreatorPermission` in `lemur/auth/permissions.py` call `flask_principal.Permission.__init__()` with zero `Need`s when their config flags are unset. Both flags defaulted to `False` in code prior to the fix, so this was the state of any Lemur install that hadn\u0027t explicitly opted in.\n\nFlask-Principal\u0027s `Permission.allows()` returns `True` whenever `self.needs` is empty. The `.can()` gate therefore passes for every authenticated identity, including the lowest-privilege role Lemur ships (`read-only`).\n\nA user holding only `read-only` can create root Certificate Authorities, create and edit notifications (an SSRF sink), create domain entries, and upload arbitrary certificates. These classes are the sole authorization check on those endpoints.\n\n## Root Cause\n\n```python\n# lemur/auth/permissions.py\nclass AuthorityCreatorPermission(Permission):\n    def __init__(self):\n        requires_admin = current_app.config.get(\"ADMIN_ONLY_AUTHORITY_CREATION\", False)\n        if requires_admin:\n            super().__init__(RoleNeed(\"admin\"))\n        else:\n            super().__init__()              # empty Need set\n\nclass StrictRolePermission(Permission):\n    def __init__(self):\n        strict_role_enforcement = current_app.config.get(\"LEMUR_STRICT_ROLE_ENFORCEMENT\", False)\n        if strict_role_enforcement:\n            needs = [RoleNeed(\"admin\"), RoleNeed(\"operator\")]\n            super().__init__(*needs)\n        else:\n            super().__init__()              # empty Need set\n```\n\n`flask_principal.Permission.allows()` (upstream, v0.4.0):\n\n```python\ndef allows(self, identity):\n    if self.needs and not self.needs.intersection(identity.provides):\n        return False\n    ...\n    return True\n```\n\nWhen `self.needs == set()`, the first guard is falsy and is skipped. `excludes` is also empty, so `allows()` returns `True` for any identity. `AuthenticatedResource` (the parent class for these views) sets `method_decorators = [login_required]`, which checks authentication only, no role. So the permission `.can()` is the only authorization layer in front of these endpoints.\n\n## Affected Endpoints\n\nViews whose only authorization check is `StrictRolePermission().can()` or `AuthorityCreatorPermission().can()`:\n\n| Method   | Path                                      | Source                                  |\n|----------|-------------------------------------------|-----------------------------------------|\n| POST     | /api/1/authorities                        | lemur/authorities/views.py:231          |\n| POST     | /api/1/certificates/upload                | lemur/certificates/views.py:651         |\n| POST     | /api/1/pending_certificates/\\\u003cid\u003e/upload  | lemur/pending_certificates/views.py:545 |\n| POST     | /api/1/notifications                      | lemur/notifications/views.py:227        |\n| PUT/DEL  | /api/1/notifications/\\\u003cid\u003e                | lemur/notifications/views.py:370,384    |\n| POST     | /api/1/domains                            | lemur/domains/views.py:131              |\n\n`POST /api/1/authorities` is gated by `AuthorityCreatorPermission().can() and StrictRolePermission().can()`; both have empty Needs by default. The other rows are gated by `StrictRolePermission().can()` alone.\n\nNote on scope: `PUT /api/1/authorities/\u003cid\u003e` also references `StrictRolePermission`, but its gate is `AuthorityPermission(...).can() and StrictRolePermission().can()`. `AuthorityPermission` is constructed with non-empty Needs (`RoleNeed(\"admin\")` plus authority-scoped needs), so that endpoint is not bypassable by a `read-only` user and is excluded from this report.\n\n## Impact\n\nA user holding only the `read-only` role can:\n\n1. Create root Certificate Authorities. CA cert and private key are persisted in Lemur\u0027s DB with the attacker as owner. Any internal trust store that pins Lemur-managed roots can now be signed against by the attacker.\n2. Upload arbitrary certificates via `/certificates/upload`, including attacker-supplied keys with destinations such as AWS push.\n3. Create or modify notifications, which reach an SSRF sink (see related finding F3, Slack notification webhook).\n4. Mark arbitrary domains as `sensitive`, manipulating Lemur\u0027s domain registry and the cert-issuance approval path.\n\nCombined with any low-privilege credential leak (phished employee, leaked SSO token) or insider access, this is a pivot from \"any authenticated identity\" to control of the PKI issuance plane.\n\n## Remediation\n\nThe config flag defaults for `ADMIN_ONLY_AUTHORITY_CREATION` and `LEMUR_STRICT_ROLE_ENFORCEMENT` were changed from `False` to `True`. Restrictive role enforcement is now active on all default installs without requiring explicit configuration.\n\n```python\nclass AuthorityCreatorPermission(Permission):\n    def __init__(self):\n        requires_admin = current_app.config.get(\"ADMIN_ONLY_AUTHORITY_CREATION\", True)\n        ...\n\nclass StrictRolePermission(Permission):\n    def __init__(self):\n        strict_role_enforcement = current_app.config.get(\"LEMUR_STRICT_ROLE_ENFORCEMENT\", True)\n        ...\n```\n\n**Note:** The opt-out branches (empty Needs) remain in the code. Operators who explicitly set `ADMIN_ONLY_AUTHORITY_CREATION = False` or `LEMUR_STRICT_ROLE_ENFORCEMENT = False` in their config will reintroduce the bypass. These flags should be left unset or set to `True`.",
      "id": "GHSA-qcqw-jwxc-2hqg",
      "modified": "2026-06-25T18:48:39Z",
      "published": "2026-06-25T18:48:39Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-qcqw-jwxc-2hqg"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/Netflix/lemur"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ],
      "summary": "Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission"
    }

    PYSEC-2026-2588

    Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:04
    VLAI
    Details

    Summary

    StrictRolePermission and AuthorityCreatorPermission in lemur/auth/permissions.py call flask_principal.Permission.__init__() with zero Needs when their config flags are unset. Both flags defaulted to False in code prior to the fix, so this was the state of any Lemur install that hadn't explicitly opted in.

    Flask-Principal's Permission.allows() returns True whenever self.needs is empty. The .can() gate therefore passes for every authenticated identity, including the lowest-privilege role Lemur ships (read-only).

    A user holding only read-only can create root Certificate Authorities, create and edit notifications (an SSRF sink), create domain entries, and upload arbitrary certificates. These classes are the sole authorization check on those endpoints.

    Root Cause

    # lemur/auth/permissions.py
    class AuthorityCreatorPermission(Permission):
        def __init__(self):
            requires_admin = current_app.config.get("ADMIN_ONLY_AUTHORITY_CREATION", False)
            if requires_admin:
                super().__init__(RoleNeed("admin"))
            else:
                super().__init__()              # empty Need set
    
    class StrictRolePermission(Permission):
        def __init__(self):
            strict_role_enforcement = current_app.config.get("LEMUR_STRICT_ROLE_ENFORCEMENT", False)
            if strict_role_enforcement:
                needs = [RoleNeed("admin"), RoleNeed("operator")]
                super().__init__(*needs)
            else:
                super().__init__()              # empty Need set
    

    flask_principal.Permission.allows() (upstream, v0.4.0):

    def allows(self, identity):
        if self.needs and not self.needs.intersection(identity.provides):
            return False
        ...
        return True
    

    When self.needs == set(), the first guard is falsy and is skipped. excludes is also empty, so allows() returns True for any identity. AuthenticatedResource (the parent class for these views) sets method_decorators = [login_required], which checks authentication only, no role. So the permission .can() is the only authorization layer in front of these endpoints.

    Affected Endpoints

    Views whose only authorization check is StrictRolePermission().can() or AuthorityCreatorPermission().can():

    Method Path Source
    POST /api/1/authorities lemur/authorities/views.py:231
    POST /api/1/certificates/upload lemur/certificates/views.py:651
    POST /api/1/pending_certificates/\/upload lemur/pending_certificates/views.py:545
    POST /api/1/notifications lemur/notifications/views.py:227
    PUT/DEL /api/1/notifications/\ lemur/notifications/views.py:370,384
    POST /api/1/domains lemur/domains/views.py:131

    POST /api/1/authorities is gated by AuthorityCreatorPermission().can() and StrictRolePermission().can(); both have empty Needs by default. The other rows are gated by StrictRolePermission().can() alone.

    Note on scope: PUT /api/1/authorities/<id> also references StrictRolePermission, but its gate is AuthorityPermission(...).can() and StrictRolePermission().can(). AuthorityPermission is constructed with non-empty Needs (RoleNeed("admin") plus authority-scoped needs), so that endpoint is not bypassable by a read-only user and is excluded from this report.

    Impact

    A user holding only the read-only role can:

    1. Create root Certificate Authorities. CA cert and private key are persisted in Lemur's DB with the attacker as owner. Any internal trust store that pins Lemur-managed roots can now be signed against by the attacker.
    2. Upload arbitrary certificates via /certificates/upload, including attacker-supplied keys with destinations such as AWS push.
    3. Create or modify notifications, which reach an SSRF sink (see related finding F3, Slack notification webhook).
    4. Mark arbitrary domains as sensitive, manipulating Lemur's domain registry and the cert-issuance approval path.

    Combined with any low-privilege credential leak (phished employee, leaked SSO token) or insider access, this is a pivot from "any authenticated identity" to control of the PKI issuance plane.

    Remediation

    The config flag defaults for ADMIN_ONLY_AUTHORITY_CREATION and LEMUR_STRICT_ROLE_ENFORCEMENT were changed from False to True. Restrictive role enforcement is now active on all default installs without requiring explicit configuration.

    class AuthorityCreatorPermission(Permission):
        def __init__(self):
            requires_admin = current_app.config.get("ADMIN_ONLY_AUTHORITY_CREATION", True)
            ...
    
    class StrictRolePermission(Permission):
        def __init__(self):
            strict_role_enforcement = current_app.config.get("LEMUR_STRICT_ROLE_ENFORCEMENT", True)
            ...
    

    Note: The opt-out branches (empty Needs) remain in the code. Operators who explicitly set ADMIN_ONLY_AUTHORITY_CREATION = False or LEMUR_STRICT_ROLE_ENFORCEMENT = False in their config will reintroduce the bypass. These flags should be left unset or set to True.

    Impacted products
    Name purl
    lemur pkg:pypi/lemur

    {
      "affected": [
        {
          "package": {
            "ecosystem": "PyPI",
            "name": "lemur",
            "purl": "pkg:pypi/lemur"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0"
                },
                {
                  "fixed": "1.9.1"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "0.11.0",
            "0.2.1",
            "0.8.0",
            "0.8.1",
            "0.9.0",
            "1.0.0",
            "1.1.0",
            "1.2.0",
            "1.3.1",
            "1.3.2",
            "1.4.0",
            "1.5.0",
            "1.6.0",
            "1.7.0",
            "1.8.0",
            "1.8.1",
            "1.8.2",
            "1.9.0"
          ]
        }
      ],
      "aliases": [
        "CVE-2026-48508",
        "GHSA-qcqw-jwxc-2hqg"
      ],
      "details": "## Summary\n\n`StrictRolePermission` and `AuthorityCreatorPermission` in `lemur/auth/permissions.py` call `flask_principal.Permission.__init__()` with zero `Need`s when their config flags are unset. Both flags defaulted to `False` in code prior to the fix, so this was the state of any Lemur install that hadn\u0027t explicitly opted in.\n\nFlask-Principal\u0027s `Permission.allows()` returns `True` whenever `self.needs` is empty. The `.can()` gate therefore passes for every authenticated identity, including the lowest-privilege role Lemur ships (`read-only`).\n\nA user holding only `read-only` can create root Certificate Authorities, create and edit notifications (an SSRF sink), create domain entries, and upload arbitrary certificates. These classes are the sole authorization check on those endpoints.\n\n## Root Cause\n\n```python\n# lemur/auth/permissions.py\nclass AuthorityCreatorPermission(Permission):\n    def __init__(self):\n        requires_admin = current_app.config.get(\"ADMIN_ONLY_AUTHORITY_CREATION\", False)\n        if requires_admin:\n            super().__init__(RoleNeed(\"admin\"))\n        else:\n            super().__init__()              # empty Need set\n\nclass StrictRolePermission(Permission):\n    def __init__(self):\n        strict_role_enforcement = current_app.config.get(\"LEMUR_STRICT_ROLE_ENFORCEMENT\", False)\n        if strict_role_enforcement:\n            needs = [RoleNeed(\"admin\"), RoleNeed(\"operator\")]\n            super().__init__(*needs)\n        else:\n            super().__init__()              # empty Need set\n```\n\n`flask_principal.Permission.allows()` (upstream, v0.4.0):\n\n```python\ndef allows(self, identity):\n    if self.needs and not self.needs.intersection(identity.provides):\n        return False\n    ...\n    return True\n```\n\nWhen `self.needs == set()`, the first guard is falsy and is skipped. `excludes` is also empty, so `allows()` returns `True` for any identity. `AuthenticatedResource` (the parent class for these views) sets `method_decorators = [login_required]`, which checks authentication only, no role. So the permission `.can()` is the only authorization layer in front of these endpoints.\n\n## Affected Endpoints\n\nViews whose only authorization check is `StrictRolePermission().can()` or `AuthorityCreatorPermission().can()`:\n\n| Method   | Path                                      | Source                                  |\n|----------|-------------------------------------------|-----------------------------------------|\n| POST     | /api/1/authorities                        | lemur/authorities/views.py:231          |\n| POST     | /api/1/certificates/upload                | lemur/certificates/views.py:651         |\n| POST     | /api/1/pending_certificates/\\\u003cid\u003e/upload  | lemur/pending_certificates/views.py:545 |\n| POST     | /api/1/notifications                      | lemur/notifications/views.py:227        |\n| PUT/DEL  | /api/1/notifications/\\\u003cid\u003e                | lemur/notifications/views.py:370,384    |\n| POST     | /api/1/domains                            | lemur/domains/views.py:131              |\n\n`POST /api/1/authorities` is gated by `AuthorityCreatorPermission().can() and StrictRolePermission().can()`; both have empty Needs by default. The other rows are gated by `StrictRolePermission().can()` alone.\n\nNote on scope: `PUT /api/1/authorities/\u003cid\u003e` also references `StrictRolePermission`, but its gate is `AuthorityPermission(...).can() and StrictRolePermission().can()`. `AuthorityPermission` is constructed with non-empty Needs (`RoleNeed(\"admin\")` plus authority-scoped needs), so that endpoint is not bypassable by a `read-only` user and is excluded from this report.\n\n## Impact\n\nA user holding only the `read-only` role can:\n\n1. Create root Certificate Authorities. CA cert and private key are persisted in Lemur\u0027s DB with the attacker as owner. Any internal trust store that pins Lemur-managed roots can now be signed against by the attacker.\n2. Upload arbitrary certificates via `/certificates/upload`, including attacker-supplied keys with destinations such as AWS push.\n3. Create or modify notifications, which reach an SSRF sink (see related finding F3, Slack notification webhook).\n4. Mark arbitrary domains as `sensitive`, manipulating Lemur\u0027s domain registry and the cert-issuance approval path.\n\nCombined with any low-privilege credential leak (phished employee, leaked SSO token) or insider access, this is a pivot from \"any authenticated identity\" to control of the PKI issuance plane.\n\n## Remediation\n\nThe config flag defaults for `ADMIN_ONLY_AUTHORITY_CREATION` and `LEMUR_STRICT_ROLE_ENFORCEMENT` were changed from `False` to `True`. Restrictive role enforcement is now active on all default installs without requiring explicit configuration.\n\n```python\nclass AuthorityCreatorPermission(Permission):\n    def __init__(self):\n        requires_admin = current_app.config.get(\"ADMIN_ONLY_AUTHORITY_CREATION\", True)\n        ...\n\nclass StrictRolePermission(Permission):\n    def __init__(self):\n        strict_role_enforcement = current_app.config.get(\"LEMUR_STRICT_ROLE_ENFORCEMENT\", True)\n        ...\n```\n\n**Note:** The opt-out branches (empty Needs) remain in the code. Operators who explicitly set `ADMIN_ONLY_AUTHORITY_CREATION = False` or `LEMUR_STRICT_ROLE_ENFORCEMENT = False` in their config will reintroduce the bypass. These flags should be left unset or set to `True`.",
      "id": "PYSEC-2026-2588",
      "modified": "2026-07-13T16:04:34.757120Z",
      "published": "2026-07-13T15:46:24.133912Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/Netflix/lemur/security/advisories/GHSA-qcqw-jwxc-2hqg"
        },
        {
          "type": "PACKAGE",
          "url": "https://github.com/Netflix/lemur"
        },
        {
          "type": "PACKAGE",
          "url": "https://pypi.org/project/lemur"
        },
        {
          "type": "ADVISORY",
          "url": "https://github.com/advisories/GHSA-qcqw-jwxc-2hqg"
        },
        {
          "type": "ADVISORY",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48508"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ],
      "summary": "Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission"
    }