Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CVE-2026-44304

Low

0/10

Summary

Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator. This affects versions prior to 1.9.0.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

References

Advisory Timeline

Published May 12, 2026

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CVE-2026-44304

Summary

CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS