CVE-2026-44305 MEDIUM

CVE-2026-44305: Lemur: LDAP TLS certificate verification globally disabled enables credential interception

Vendor Netflix
Product lemur
Weakness CWE-295
Published May 12, 2026
Last update May 13, 2026

CVSS base score

6.8/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned between Lemur and the LDAP server to intercept all authentication credentials. This vulnerability is fixed in 1.9.0.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 13, 2026 Record updated