Skip to content
This repository was archived by the owner on Jul 7, 2026. It is now read-only.

v1.9.1

Choose a tag to compare

@jtschladen jtschladen released this 28 May 17:19
f478458
  • Fixed authorization bypass (GHSA-qcqw-jwxc-2hqg) where StrictRolePermission and AuthorityCreatorPermission
    granted access to any authenticated user on default Lemur installs. Both LEMUR_STRICT_ROLE_ENFORCEMENT and
    ADMIN_ONLY_AUTHORITY_CREATION now default to True (fail-closed). Existing installs that explicitly set
    either flag to False are unaffected.