Summary
lemur.users.service.update() writes a user's new password as plaintext to the users.password column. The User model wires bcrypt hashing to SQLAlchemy's before_insert event but registers no equivalent listener for before_update, and service.update() does not call user.hash_password() after assigning the new value. Every password change performed through the admin-gated PUT /api/1/users/<id> endpoint persists the user's password to the database in cleartext.
Root Cause
lemur/users/models.py:
# line 38
class User(BaseModel):
__tablename__ = "users"
id = Column(Integer, primary_key=True)
password = Column(String(128)) # plain column, no setter, no Vault descriptor
# line 74
def hash_password(self):
if self.password:
self.password = bcrypt.generate_password_hash(self.password).decode("utf-8")
# line 111
listen(User, "before_insert", hash_password) # only before_insert is wiredlemur/users/service.py:
# line 46
def update(user_id, username, email, active, profile_picture, roles, password=None):
...
user = get(user_id)
user.username = username
user.email = email
user.active = active
user.profile_picture = profile_picture
if password:
user.password = password # raw assignment
update_roles(user, roles)
return database.update(user) # commits, no hashingNo before_update listener exists. User.password is a plain Column(String(128)) with no property setter that hashes on assignment. The bcrypt code path is bypassed entirely on every UPDATE statement that touches this column.
Affected Endpoints
| Method |
Path |
Source |
| PUT |
/api/1/users/<id> |
lemur/users/views.py:274 (gated by @admin_permission.require) |
lemur/auth/views.py:323 also calls user_service.update() during SSO/OAuth login, but passes only six positional arguments. password defaults to None on that path and the if password: guard short-circuits. The bug is triggered only through the admin-only PUT handler.
Impact
When an administrator changes a user's password via PUT /api/1/users/<id>, the cleartext password is persisted to users.password. Subsequent login attempts for that user will fail (check_password calls bcrypt.check_password_hash against an unhashed value), pushing operators toward workarounds.
The more serious consequence is a defense-in-depth bypass. Bcrypt is the protection that prevents a database compromise from yielding usable credentials. With plaintext rows present, an attacker who exfiltrates the users table, a backup, a read replica, or query logs obtains directly usable login credentials — no offline cracking required. Because users reuse passwords across services, the blast radius extends beyond Lemur.
The bug specifically affects admin-driven password resets, which are the normal post-incident workflow and exactly when plaintext storage is most harmful.
Steps to Reproduce
-
Install Lemur with default config. Create an admin user and a target user 'alice' (created via the standard flow, password will be hashed correctly on insert).
-
Verify the initial hash:
psql lemur -c "SELECT password FROM users WHERE username='alice';"
Output: $2b$12$N9Q... (bcrypt hash, as expected)
-
As admin, change alice's password via the API:
curl -X PUT https://lemur.local/api/1/users/<alice_id>
-H "Authorization: Bearer <admin_jwt>"
-H "Content-Type: application/json"
-d '{
"username": "alice",
"email": "alice@example.com",
"active": true,
"profile_picture": null,
"roles": [{"name": "operator"}],
"password": "ProofOfConcept_2026"
}'
-
Read the column again:
psql lemur -c "SELECT password FROM users WHERE username='alice';"
Output: ProofOfConcept_2026 ← plaintext, not hashed
-
Confirm the failure mode: 'alice' can no longer log in with 'ProofOfConcept_2026'
because check_password runs bcrypt.check_password_hash() against the cleartext column.
Remediation
Register the listener for both events:
# lemur/users/models.py
listen(User, "before_insert", hash_password)
listen(User, "before_update", hash_password)
Alternative, equivalent fix in the service layer:
# lemur/users/service.py, in update()
if password:
user.password = password
user.hash_password()The listener fix is preferred because it closes the gap for any future code path that mutates user.password.
A one-time migration is recommended to detect and re-hash any rows already stored in cleartext. Bcrypt hashes begin with $2b$, $2a$, or $2y$. Any cleartext credential should be treated as compromised — rotate it, do not just re-hash it — since it has been at rest in plaintext and may exist in backups, audit logs, and replicas.
References
sour-exploit Reporter
Summary
lemur.users.service.update()writes a user's new password as plaintext to theusers.passwordcolumn. TheUsermodel wires bcrypt hashing to SQLAlchemy'sbefore_insertevent but registers no equivalent listener forbefore_update, andservice.update()does not calluser.hash_password()after assigning the new value. Every password change performed through the admin-gatedPUT /api/1/users/<id>endpoint persists the user's password to the database in cleartext.Root Cause
lemur/users/models.py:lemur/users/service.py:No
before_updatelistener exists.User.passwordis a plainColumn(String(128))with no property setter that hashes on assignment. The bcrypt code path is bypassed entirely on every UPDATE statement that touches this column.Affected Endpoints
<id>@admin_permission.require)lemur/auth/views.py:323also callsuser_service.update()during SSO/OAuth login, but passes only six positional arguments.passworddefaults toNoneon that path and theif password:guard short-circuits. The bug is triggered only through the admin-only PUT handler.Impact
When an administrator changes a user's password via
PUT /api/1/users/<id>, the cleartext password is persisted tousers.password. Subsequent login attempts for that user will fail (check_passwordcallsbcrypt.check_password_hashagainst an unhashed value), pushing operators toward workarounds.The more serious consequence is a defense-in-depth bypass. Bcrypt is the protection that prevents a database compromise from yielding usable credentials. With plaintext rows present, an attacker who exfiltrates the
userstable, a backup, a read replica, or query logs obtains directly usable login credentials — no offline cracking required. Because users reuse passwords across services, the blast radius extends beyond Lemur.The bug specifically affects admin-driven password resets, which are the normal post-incident workflow and exactly when plaintext storage is most harmful.
Steps to Reproduce
Install Lemur with default config. Create an admin user and a target user 'alice' (created via the standard flow, password will be hashed correctly on insert).
Verify the initial hash:
psql lemur -c "SELECT password FROM users WHERE username='alice';"
Output: $2b$12$N9Q... (bcrypt hash, as expected)
As admin, change alice's password via the API:
curl -X PUT https://lemur.local/api/1/users/<alice_id>
-H "Authorization: Bearer <admin_jwt>"
-H "Content-Type: application/json"
-d '{
"username": "alice",
"email": "alice@example.com",
"active": true,
"profile_picture": null,
"roles": [{"name": "operator"}],
"password": "ProofOfConcept_2026"
}'
Read the column again:
psql lemur -c "SELECT password FROM users WHERE username='alice';"
Output: ProofOfConcept_2026 ← plaintext, not hashed
Confirm the failure mode: 'alice' can no longer log in with 'ProofOfConcept_2026'
because check_password runs bcrypt.check_password_hash() against the cleartext column.
Remediation
Register the listener for both events:
Alternative, equivalent fix in the service layer:
The listener fix is preferred because it closes the gap for any future code path that mutates
user.password.A one-time migration is recommended to detect and re-hash any rows already stored in cleartext. Bcrypt hashes begin with
$2b$,$2a$, or$2y$. Any cleartext credential should be treated as compromised — rotate it, do not just re-hash it — since it has been at rest in plaintext and may exist in backups, audit logs, and replicas.References