CVE-2026-55162

MEDIUMPre-NVD 6.36.3
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.3 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
6.3
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 6.3Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Lemur: Crafted CRL/OCSP URLs in uploaded certificates lead to post-authentication SSRF

Summary

When verifying an uploaded certificate, lemur/certificates/verify.py extracts the CRL Distribution Point URL and the OCSP responder URL directly from the certificate's extensions and issues outbound requests to those URLs without scheme restriction or destination allow-listing. An authenticated user holding the operator role (required by StrictRolePermission on POST /certificates/upload) can craft a certificate whose extensions point at internal services - instance metadata endpoints, internal Kubernetes API servers, RFC1918 hosts, link-local addresses - and cause the Lemur host to issue requests against those destinations during verification.

Root Cause

lemur/certificates/verify.py, crl_verify:
point = p.full_name[0].value                          # URL from CDP extension of uploaded cert
...
response = requests.get(point, timeout=(3.05, 6))     # no allow-list, no destination filter
lemur/certificates/verify.py, ocsp_verify:
command = ["openssl", "x509", "-noout", "-ocsp_uri", "-in", cert_path]
p1 = subprocess.Popen(command, stdout=subprocess.PIPE, ...)
url, _ = p1.communicate()
p2 = subprocess.Popen(
    ["openssl", "ocsp", "-issuer", issuer_chain_path, "-cert", cert_path,
     "-url", url.strip()],                            # attacker-controlled URL
    ...
)
In both code paths the URL flows from attacker-controlled certificate-extension content to a network sink with no validation against an allow-list of hostnames, no scheme restriction beyond rejecting LDAP via InvalidSchema, and no filtering of RFC1918 / link-local (169.254/16) / loopback / IPv6 ULA destinations.

Affected Endpoints

| Method | Path | Source | |---|---|---| | POST | /api/1/certificates/upload | verify_stringcrl_verify / ocsp_verify | The bug additionally surfaces anywhere verify_string is invoked on attacker-influenced certificate content (sync paths, source plugin re-validation, etc.). The upload endpoint is the most direct trigger.

Impact

An operator-role attacker can:
  • Probe the Lemur host's internal network through outbound CRL/OCSP fetches and infer topology from response timings and error messages.
  • On EC2 instances without IMDSv2 enforcement, cause requests to http://169.254.169.254/ and influence downstream behavior of components that parse the response.
  • Pin attacker-controlled CRLs into the unbounded module-level crl_cache dict (see Advisory 4c) for permanent cache poisoning - once cached, a poisoned CRL is served to every subsequent verification for the same URL.
The operator-role precondition reduces severity from what an unauthenticated SSRF would warrant, but operators are still meaningfully less trusted than the host's network position. PKI workflows also routinely process third-party certificates whose extensions are not directly controlled by the operator, broadening the trigger surface beyond purely-malicious operators.

Remediation

Filter the URL before it reaches the network sink. Either:
  • Maintain an explicit allow-list of CRL/OCSP hostnames in configuration (e.g., LEMUR_TRUSTED_CRL_HOSTS and LEMUR_TRUSTED_OCSP_HOSTS) and reject anything outside the list, or
  • Use an SSRF-safe HTTP client wrapper that resolves the destination, rejects RFC1918 / link-local / loopback / IPv6 ULA addresses before connecting, and pins the resolved IP to defeat DNS rebinding.
For OCSP, route the parsed URL through the same wrapper before passing it as -url to openssl ocsp. Additionally, bound crl_cache (see Advisory 4c) to prevent the SSRF vector from amplifying into a persistent cache-poisoning condition.

Steps to Reproduce

  • Set up Lemur on an EC2 instance with IMDSv1 enabled (or any host with reachable RFC1918 services). Create an admin user and an operator-role user eve.
  • Generate a self-signed certificate whose extensions point at internal services:
cat > openssl.cnf <" \
        -H "Content-Type: application/json" \
        -d "{
              \"name\": \"ssrf-poc\",
              \"body\": \"$BODY\",
              \"chain\": \"\",
              \"private_key\": \"\",
              \"owner\": \"[email protected]\"
            }"
  • Observe the outbound request to 169.254.169.254 in the tcpdump output. The request originates from the Lemur process during verify_string processing of the uploaded cert. The attacker has successfully induced a server-side request to an internal address of their choosing.

CVSS v3
6.3
EG Score
6.3(low)
EPSS
KEV
Not listed

Published

June 25, 2026

Last Modified

June 25, 2026

Vendor Advisories for CVE-2026-55162(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Frequently asked(4)

What is CVE-2026-55162?
CVE-2026-55162 is a medium vulnerability published on June 25, 2026. Lemur: Crafted CRL/OCSP URLs in uploaded certificates lead to post-authentication SSRF Summary When verifying an uploaded certificate, lemur/certificates/verify.py extracts the CRL Distribution Point URL and the OCSP responder URL directly from the certificate's extensions and issues outbound…
When was CVE-2026-55162 disclosed?
CVE-2026-55162 was first published in the National Vulnerability Database on June 25, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-55162?
CVE-2026-55162 has a CVSS v4.0 base score of 6.3 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-55162?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-55162, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-55162

Explore →

Is Your Infrastructure Affected by CVE-2026-55162?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.