CVE-2026-55164 is a medium-severity security vulnerability in lemur (pip), affecting versions <= 1.9.1. It is fixed in 1.9.2.
Summary lemur.users.service.update() writes a user's new password as plaintext to the users.password column. The User model wires bcrypt hashing to SQLAlchemy's beforeinsert event but registers no equivalent listener for beforeupdate, and service.update() does not call user.hashpassword() after assigning the new value. Every password change performed through the admin-gated PUT /api/1/users/<id> endpoint persists the user's password to the database in cleartext. Root Cause lemur/users/models.py: lemur/users/service.py: No beforeupdate listener exists. User.password is a plain Column(String(128)) with no property setter that hashes on assignment. The bcrypt code path is bypassed entirely on every UPDATE statement that touches this column. Affected Endpoints | Method | Path | Source | |---|---|---| | PUT | /api/1/users/<id> | lemur/users/views.py:274 (gated by @adminpermission.require) | lemur/auth/views.py:323 also calls userservice.update() during SSO/OAuth login, but passes only six positional arguments. password defaults to None on that path and the if password: guard short-circuits. The bug is triggered only through the admin-only PUT handler. Impact When an administrator changes a user's password via PUT /api/1/users/<id>, the cleartext password is persisted to users.password. Subsequent login attempts for that user will fail (checkpassword calls bcrypt.checkpasswordhash against an unhashed value), pushing operators toward workarounds. The more serious consequence is a defense-in-depth bypass. Bcrypt is the protection that prevents a database compromise from yielding usable credentials. With plaintext rows present, an attacker who exfiltrates the users table, a backup, a read replica, or query logs obtains directly usable login credentials, no offline cracking required. Because users reuse passwords across services, the blast radius extends beyond Lemur. The bug specifically affects admin-driven password resets, which are the normal post-incident workflow and exactly when plaintext storage is most harmful. Steps to Reproduce Install Lemur with default config. Create an admin user and a target user 'alice' (created via the standard flow, password will be hashed correctly on insert). Verify the initial hash: psql lemur -c "SELECT password FROM users WHERE username='alice';" # Output: $2b$12$N9Q... (bcrypt hash, as expected) As admin, change alice's password via the API: curl -X PUT https://lemur.local/api/1/users/<aliceid> \ -H "Authorization: Bearer <adminjwt>" \ -H "Content-Type: application/json" \ -d '{ "username": "alice", "email": "[email protected]", "active": true, "profilepicture": null, "roles": [{"name": "operator"}], "password": "ProofOfConcept2026" }' Read the column again: psql lemur -c "SELECT password FROM users WHERE username='alice';" # Output: ProofOfConcept2026 ← plaintext, not hashed Confirm the failure mode: 'alice' can no longer log in with 'ProofOfConcept2026' because checkpassword runs bcrypt.checkpasswordhash() against the cleartext column. Remediation Register the listener for both events: Alternative, equivalent fix in the service layer: The listener fix is preferred because it closes the gap for any future code path that mutates user.password. A one-time migration is recommended to detect and re-hash any rows already stored in cleartext. Bcrypt hashes begin with $2b$, $2a$, or $2y$. Any cleartext credential should be treated as compromised, rotate it, do not just re-hash it, since it has been at rest in plaintext and may exist in backups, audit logs, and replicas.
CVE-2026-55164 has a CVSS score of 4.9 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.9.2). Upgrading removes the vulnerable code path.
pip
lemur (<= 1.9.1)lemur → 1.9.2 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-55164 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-55164 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-55164 in your environment →Upgrade lemur to 1.9.2 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-55164 is a medium-severity security vulnerability in lemur (pip), affecting versions <= 1.9.1. It is fixed in 1.9.2.
CVE-2026-55164 has a CVSS score of 4.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
lemur (pip) versions <= 1.9.1 is affected.
Yes. CVE-2026-55164 is fixed in 1.9.2. Upgrade to this version or later.
Whether CVE-2026-55164 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade lemur to 1.9.2 or later.