Security: Netflix/lemur
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
Report a vulnerability-
Post-authentication SSRF via certificate verification - attacker-controlled CRL and OCSP URLs in uploaded certificatesGHSA-54vg-pfh7-jq95 published
Jun 10, 2026 by PJ1288Moderate -
Privilege escalation via PUT /api/1/roles/<id> — non-admin role members can rewrite role membershipGHSA-x3vf-mgxj-7785 published
Jun 10, 2026 by PJ1288Moderate -
Plaintext password storage in Lemur user-update pathGHSA-q437-g7fv-2jvv published
Jun 10, 2026 by PJ1288Moderate -
Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap; chain-dependent ATO with secret disclosureGHSA-r9gp-7f88-9r54 published
Jun 10, 2026 by PJ1288Moderate -
Lemur 1.9.0: any SSO-authenticated user achieves AWS IAM compromise and permanent PKI key access via ACME acme_url SSRF and creator-equality IDORGHSA-v2wp-frmc-5q3v published
Jun 10, 2026 by PJ1288Critical -
Authorization bypass in StrictRolePermission / AuthorityCreatorPermissionGHSA-qcqw-jwxc-2hqg published
May 28, 2026 by jtschladenHigh -
LDAP TLS certificate verification globally disabled enables credential interceptionGHSA-vr7c-r5gj-j3w5 published
Apr 28, 2026 by jtschladenModerate -
LDAP Filter Injection enables post-authentication privilege escalationGHSA-3r34-vq8m-39gh published
Apr 28, 2026 by jtschladenHigh -
NFLX-2023-001 Insecure random generationGHSA-5fqv-mpj8-h7gm published
Feb 28, 2023 by jtschladenLow
Learn more about advisories related to Netflix/lemur in the GitHub Advisory Database