CVE-2026-44304

High

Published: 12 May 2026

Published

12 May 2026

Modified

13 May 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0002 6.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44304 is a high-severity LDAP Injection (CWE-90) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate…

group membership queries and escalate their privileges to administrator. This vulnerability is fixed in 1.9.0.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-90

References

https://github.com/Netflix/lemur/security/advisories/GHSA-3r34-vq8m-39gh
security-advisories@github.com