Listen to this Post
How CVE-2026-55164 Works
CVE-2026-55164 is a vulnerability in Netflix’s Lemur, a certificate management tool, where an administrator-triggered password change results in the new password being written to the database in plaintext rather than as a bcrypt hash.
The root cause lies in an asymmetry between how Lemur handles password hashing on user creation versus user update. When a new user is created, the `User` model’s `hash_password()` method is triggered by SQLAlchemy’s `before_insert` event, correctly hashing the password with bcrypt before it is persisted. However, the developers only registered this listener for the `before_insert` event and neglected to register an equivalent `before_update` listener.
In the `lemur/users/service.py` file, the `update()` function retrieves a user object and, if a new password is provided, assigns it directly to `user.password` via a raw assignment. Because there is no `before_update` listener, the `hash_password()` method is never called during an update operation. The `User.password` column is defined as a plain `Column(String(128))` with no property setter that would intercept the assignment and perform hashing. The `database.update(user)` call then commits the raw, unhashed password string directly to the database.
This bug is triggered through the admin-gated `PUT /api/1/users/
The consequences are severe. A user whose password is changed via this endpoint will be unable to log in, as the login function calls `bcrypt.check_password_hash()` against the plaintext value stored in the database. More critically, this represents a defense-in-depth failure. If the database is compromised, an attacker gains direct access to usable plaintext credentials, bypassing the protection that bcrypt hashing is designed to provide.
DailyCVE Form
Platform: Lemur (Netflix)
Version: <= 1.9.1
Vulnerability: Plaintext Password Storage
Severity: Medium
Date: 2026-06-25
Prediction: 2026-06-25 (Fixed in 1.9.2)
What Undercode Say: Analytics
The following analytics and commands are derived from the vulnerability’s proof of concept.
Verify Initial Hash (Pre-Exploit)
psql lemur -c "SELECT password FROM users WHERE username='alice';"
Expected Output: `$2b$12$N9Q…` (a bcrypt hash)
Exploit: Change Password via API (as Admin)
curl -X PUT https://lemur.local/api/1/users/<alice_id> \
-H "Authorization: Bearer <admin_jwt>" \
-H "Content-Type: application/json" \
-d '{
"username": "alice",
"email": "[email protected]",
"active": true,
"profile_picture": null,
"roles": [{"name": "operator"}],
"password": "ProofOfConcept_2026"
}'
Note: The `password` field is sent in plaintext and will be stored as such.
Verify Plaintext Storage (Post-Exploit)
psql lemur -c "SELECT password FROM users WHERE username='alice';"
Actual Output: `ProofOfConcept_2026` (plaintext, not hashed)
Exploit
The exploitation of this vulnerability is straightforward and requires only administrative privileges, which are a prerequisite for the affected endpoint.
1. Prerequisites: An attacker must have administrative access to the Lemur instance. This could be a compromised admin account or a malicious insider.
2. Trigger: The attacker uses the `PUT /api/1/users/
3. Outcome: The API request succeeds, but the `user.password` column in the database is updated with the new password in plaintext.
4. Post-Exploitation: The plaintext password is now persisted. If the database is later exfiltrated, the attacker obtains the password in a directly usable form, bypassing the need for offline cracking.
Protection
- Immediate Patching: Upgrade to Lemur version 1.9.2 or later, which contains the fix for this vulnerability.
- Code-Level Fix (If Patching is Delayed): Register the `hash_password` listener for the `before_update` event in
lemur/users/models.py:listen(User, "before_update", hash_password)
Alternatively, add an explicit call to `user.hash_password()` in the service layer after assigning the password.
- Credential Rotation: Any user whose password was changed via the affected endpoint during the vulnerable period should have their password rotated immediately, as it has been stored in plaintext and may exist in backups or logs.
Impact
- Immediate Denial of Service: The affected user will be unable to log in because their plaintext password will fail the bcrypt verification check.
- Defense-in-Depth Bypass: The primary and most critical impact is the nullification of bcrypt’s protection. If the database is compromised, an attacker gains access to usable credentials without any cracking effort.
- Credential Reuse Risk: Given that users often reuse passwords across multiple services, the compromise of a Lemur password can lead to a broader compromise of other systems and applications.
- Data Breach Amplification: The plaintext passwords may be present in database backups, read replicas, and query logs, expanding the attack surface and the duration of exposure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
