CVE-2026-44304: Lemur: LDAP Filter Injection enables post-authentication privilege escalation

Description Overview Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter…

8.1CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-44304
Vendor	pip
Affected Product	lemur
Vulnerability Type	Vulnerability
CVSS Score	8.1 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Description

Overview Lemur's LDAP authentication module (`lemur/auth/ldap.py`) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator.

Vulnerable Code Location: `lemur/auth/ldap.py`, `_bind()` method Filter 1 — User lookup (line ~161):

``python ldap_filter = "userPrincipalName=%s" % self.ldap_principal ` self.ldap_principal is derived directly from args["username"] submitted at POST /auth/login with no sanitization. The ldap.filter.escape_filter_chars() function is never called. Filter 2 — Active Directory group lookup (line ~189): ``python gr

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-44304 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →