python · lemurCritical

lemur: plaintext password storage on admin password update via API

When an admin updates a user's password via PUT /api/1/users/<id>, the password is stored as plaintext in the users.

26 Jun 2026Read 1 minSeverity: act now

What changed

When an admin updates a user's password via PUT /api/1/users/<id>, the password is stored as plaintext in the users.password column because the before_update listener is missing and service.update() does not call hash_password().

Who it affects

All Lemur deployments where admin users change passwords through the API endpoint PUT /api/1/users/<id>.

What to do today

Apply the fix by adding a before_update listener or calling user.hash_password() in service.update(), then rotate any passwords that may have been stored in plaintext.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · lemur

lemur: plaintext password storage on admin password update via API

What changed

Who it affects

What to do today

More on lemur

justhtml XSS via blank line in inline code span within link

langgraph-sdk: path-segment encoding added to prevent path traversal