lemur
python · lemurHeads-up
lemur: Insufficient authorization in PUT /api/1/roles/<id> allows role modification by any member
The PUT /api/1/roles/<id> endpoint in lemur/roles/views.
26 Jun 2026 · schedule it
python · lemurCritical
lemur: plaintext password storage on admin password update via API
When an admin updates a user's password via PUT /api/1/users/<id>, the password is stored as plaintext in the users.
26 Jun 2026 · act now
python · lemurHeads-up
Lemur 1.9.0 JWT Algorithm Confusion in auth/service.py
JWT verifier in auth/service.py:130-137 reads the 'alg' header from the unverified token and passes it directly to pyjwt.decode()
26 Jun 2026 · schedule it
python · lemurCritical
lemur: Authorization bypass due to default False config flags in permissions
In lemur/auth/permissions.py, `StrictRolePermission` and `AuthorityCreatorPermission` passed zero `Need`s to `flask_principal.Perm
26 Jun 2026 · act now