CVE-2026-48508

HIGHPre-NVD 8.88.8
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.8 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
8.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 8.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission

Summary

StrictRolePermission and AuthorityCreatorPermission in lemur/auth/permissions.py call flask_principal.Permission.__init__() with zero Needs when their config flags are unset. Both flags defaulted to False in code prior to the fix, so this was the state of any Lemur install that hadn't explicitly opted in.

Flask-Principal's Permission.allows() returns True whenever self.needs is empty. The .can() gate therefore passes for every authenticated identity, including the lowest-privilege role Lemur ships (read-only).

A user holding only read-only can create root Certificate Authorities, create and edit notifications (an SSRF sink), create domain entries, and upload arbitrary certificates. These classes are the sole authorization check on those endpoints.

Root Cause

# lemur/auth/permissions.py
class AuthorityCreatorPermission(Permission):
    def __init__(self):
        requires_admin = current_app.config.get("ADMIN_ONLY_AUTHORITY_CREATION", False)
        if requires_admin:
            super().__init__(RoleNeed("admin"))
        else:
            super().__init__()              # empty Need set

class StrictRolePermission(Permission): def __init__(self): strict_role_enforcement = current_app.config.get("LEMUR_STRICT_ROLE_ENFORCEMENT", False) if strict_role_enforcement: needs = [RoleNeed("admin"), RoleNeed("operator")] super().__init__(*needs) else: super().__init__() # empty Need set

flask_principal.Permission.allows() (upstream, v0.4.0):

def allows(self, identity):
    if self.needs and not self.needs.intersection(identity.provides):
        return False
    ...
    return True

When self.needs == set(), the first guard is falsy and is skipped. excludes is also empty, so allows() returns True for any identity. AuthenticatedResource (the parent class for these views) sets method_decorators = [login_required], which checks authentication only, no role. So the permission .can() is the only authorization layer in front of these endpoints.

Affected Endpoints

Views whose only authorization check is StrictRolePermission().can() or AuthorityCreatorPermission().can():

| Method | Path | Source | |----------|-------------------------------------------|-----------------------------------------| | POST | /api/1/authorities | lemur/authorities/views.py:231 | | POST | /api/1/certificates/upload | lemur/certificates/views.py:651 | | POST | /api/1/pending_certificates/\/upload | lemur/pending_certificates/views.py:545 | | POST | /api/1/notifications | lemur/notifications/views.py:227 | | PUT/DEL | /api/1/notifications/\ | lemur/notifications/views.py:370,384 | | POST | /api/1/domains | lemur/domains/views.py:131 |

POST /api/1/authorities is gated by AuthorityCreatorPermission().can() and StrictRolePermission().can(); both have empty Needs by default. The other rows are gated by StrictRolePermission().can() alone.

Note on scope: PUT /api/1/authorities/ also references StrictRolePermission, but its gate is AuthorityPermission(...).can() and StrictRolePermission().can(). AuthorityPermission is constructed with non-empty Needs (RoleNeed("admin") plus authority-scoped needs), so that endpoint is not bypassable by a read-only user and is excluded from this report.

Impact

A user holding only the read-only role can:

  • Create root Certificate Authorities. CA cert and private key are persisted in Lemur's DB with the attacker as owner. Any internal trust store that pins Lemur-managed roots can now be signed against by the attacker.
  • Upload arbitrary certificates via /certificates/upload, including attacker-supplied keys with destinations such as AWS push.
  • Create or modify notifications, which reach an SSRF sink (see related finding F3, Slack notification webhook).
  • Mark arbitrary domains as sensitive, manipulating Lemur's domain registry and the cert-issuance approval path.

Combined with any low-privilege credential leak (phished employee, leaked SSO token) or insider access, this is a pivot from "any authenticated identity" to control of the PKI issuance plane.

Remediation

The config flag defaults for ADMIN_ONLY_AUTHORITY_CREATION and LEMUR_STRICT_ROLE_ENFORCEMENT were changed from False to True. Restrictive role enforcement is now active on all default installs without requiring explicit configuration.

class AuthorityCreatorPermission(Permission):
    def __init__(self):
        requires_admin = current_app.config.get("ADMIN_ONLY_AUTHORITY_CREATION", True)
        ...

class StrictRolePermission(Permission): def __init__(self): strict_role_enforcement = current_app.config.get("LEMUR_STRICT_ROLE_ENFORCEMENT", True) ...

Note: The opt-out branches (empty Needs) remain in the code. Operators who explicitly set ADMIN_ONLY_AUTHORITY_CREATION = False or LEMUR_STRICT_ROLE_ENFORCEMENT = False in their config will reintroduce the bypass. These flags should be left unset or set to True.

CVSS v3
8.8
EG Score
8.8(low)
EPSS
KEV
Not listed

Published

June 25, 2026

Last Modified

June 25, 2026

Vendor Advisories for CVE-2026-48508(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 14× in last 7d / 23× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 03:03 UTCEG score recompute
  2. 2026-07-06 14:51 UTCEG score recompute
  3. 2026-07-06 02:38 UTCEG score recompute
  4. 2026-07-05 14:26 UTCEG score recompute
  5. 2026-07-05 02:15 UTCEG score recompute
  6. 2026-07-04 14:04 UTCEG score recompute
  7. 2026-07-04 01:53 UTCEG score recompute
  8. 2026-07-03 13:39 UTCEG score recompute
  9. 2026-07-03 01:27 UTCEG score recompute
  10. 2026-07-02 13:15 UTCEG score recompute
  11. 2026-07-02 01:03 UTCEG score recompute
  12. 2026-07-01 12:50 UTCEG score recompute
  13. 2026-07-01 00:39 UTCEG score recompute
  14. 2026-06-30 12:27 UTCEG score recompute
  15. 2026-06-30 00:17 UTCEG score recompute
  16. 2026-06-29 12:05 UTCEG score recompute
  17. 2026-06-28 23:54 UTCEG score recompute
  18. 2026-06-28 11:42 UTCEG score recompute
  19. 2026-06-27 23:31 UTCEG score recompute
  20. 2026-06-27 11:20 UTCEG score recompute
  21. 2026-06-26 23:08 UTCEG score recompute
  22. 2026-06-26 10:57 UTCEG score recompute
  23. 2026-06-25 19:46 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-48508?
CVE-2026-48508 is a high vulnerability published on June 25, 2026. Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission Summary StrictRolePermission and AuthorityCreatorPermission in lemur/auth/permissions.py call flask_principal.Permission.init() with zero Needs when their config flags are unset. Both flags defaulted to False in…
When was CVE-2026-48508 disclosed?
CVE-2026-48508 was first published in the National Vulnerability Database on June 25, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-48508?
CVE-2026-48508 has a CVSS v4.0 base score of 8.8 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-48508?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48508, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-48508

Explore →

Is Your Infrastructure Affected by CVE-2026-48508?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.