Medium severity6.8NVD Advisory· Published May 12, 2026· Updated May 13, 2026

CVE-2026-44305

Description

Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned between Lemur and the LDAP server to intercept all authentication credentials. This vulnerability is fixed in 1.9.0.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-vr7c-r5gj-j3w5ghsaADVISORY
github.com/Netflix/lemur/releases/tag/v1.9.0ghsa
github.com/Netflix/lemur/security/advisories/GHSA-vr7c-r5gj-j3w5nvd
nvd.nist.gov/vuln/detail/CVE-2026-44305ghsa
www.python-ldap.org/en/python-ldap-3.4.0/reference/ldap.htmlghsa

News mentions

No linked articles in our index yet.

cvss	0.442
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000