Which SIEM platforms have a CVE-2026-55166 detection rule?

df00tech provides CVE-2026-55166 (CVE-2026-55166: Lemur ACME SSRF and IDOR Leading to AWS IAM/PKI Compromise) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect CVE-2026-55166: Lemur ACME SSRF and IDOR Leading to AWS IAM/PKI Compromise (CVE-2026-55166)?

Detecting CVE-2026-55166: Lemur ACME SSRF and IDOR Leading to AWS IAM/PKI Compromise requires the following data sources: Azure Application Gateway, IIS Web Logs, Common Security Log (WAF/Proxy), Azure Diagnostics.

What severity and confidence is the CVE-2026-55166 detection?

The CVE-2026-55166 detection is rated critical severity with high confidence.

What are common false positives for CVE-2026-55166?

Common false positives for CVE-2026-55166 include: Legitimate ACME DNS/HTTP-01 validation workflows that include internal URL callbacks; Authorized penetration testing against Lemur certificate management endpoints; Automated certificate renewal agents making high-frequency API calls.

CVE-2026-55166: CVE-2026-55166: Lemur ACME SSRF and IDOR Leading to AWS IAM/PKI Compromise — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

union
  (
    AzureDiagnostics
    | where Category == "ApplicationGatewayAccessLog" or Category == "FrontDoorAccessLog"
    | where requestUri_s matches regex @"/api/v1/(certificates|authorities|pending_certificates)"
    | where requestUri_s matches regex @"(acme|challenge|validation|dns-01|http-01|tls-alpn)"
    | extend SuspiciousTarget = extract(@"url=([^&\s]+)", 1, requestUri_s)
    | where SuspiciousTarget matches regex @"(169\.254\.169\.254|fd00:ec2|metadata\.google|127\.|localhost|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.)"
  ),
  (
    W3CIISLog
    | where csUriStem matches regex @"/api/v1/(certificates|authorities|pending_certificates)"
    | where csMethod in ("POST", "PUT", "PATCH")
    | extend BodyHint = tostring(csUriQuery)
    | where BodyHint matches regex @"(acme|url=|validation_method)"
    | summarize RequestCount = count(), DistinctUris = dcount(csUriStem) by cIP, bin(TimeGenerated, 5m)
    | where RequestCount > 10
  ),
  (
    CommonSecurityLog
    | where DeviceVendor == "nginx" or ApplicationProtocol == "HTTP"
    | where RequestURL matches regex @"/api/v1/certificates/[0-9]+"
    | where RequestMethod in ("GET", "PUT", "DELETE")
    | summarize Owners = make_set(SourceUserName), RequestCount = count() by DestinationHostName, RequestURL, bin(TimeGenerated, 10m)
    | where array_length(Owners) > 1
  )
| project TimeGenerated, SourceIP = coalesce(cIP, SourceIP), RequestURL = coalesce(csUriStem, RequestURL, requestUri_s), SuspiciousTarget, RequestCount

Detects three exploitation patterns: SSRF via ACME challenge URL manipulation targeting cloud metadata endpoints, high-frequency certificate API probing indicative of IDOR enumeration, and cross-owner access to certificate resources.

critical severity high confidence

Data Sources

Azure Application Gateway IIS Web Logs Common Security Log (WAF/Proxy) Azure Diagnostics

Required Tables

AzureDiagnostics W3CIISLog CommonSecurityLog

False Positives

Legitimate ACME DNS/HTTP-01 validation workflows that include internal URL callbacks
Authorized penetration testing against Lemur certificate management endpoints
Automated certificate renewal agents making high-frequency API calls
Internal network scanners or health-check systems probing Lemur API

Splunk

spl

index=web OR index=proxy OR index=app sourcetype IN (access_combined, iis, nginx, haproxy_http, json_web)
| eval uri=coalesce(uri, cs_uri_stem, request_url, url)
| eval src_ip=coalesce(src_ip, c_ip, clientip, X_Forwarded_For)
| eval method=coalesce(method, cs_method, http_method)
| where match(uri, "/api/v1/(certificates|authorities|pending_certificates)")
| eval is_acme_ssrf=if(match(uri, "(acme|challenge|validation)") AND match(uri, "url="), 1, 0)
| eval is_metadata_ssrf=if(match(uri, "(169\.254\.169\.254|169\.254\.169\.253|fd00:ec2|metadata\.google|metadata\.internal)"), 1, 0)
| eval is_idor_probe=if(method IN ("GET","PUT","DELETE") AND match(uri, "/certificates/[0-9]+"), 1, 0)
| eval alert_type=case(
    is_metadata_ssrf=1, "SSRF_CLOUD_METADATA",
    is_acme_ssrf=1, "SSRF_ACME_CALLBACK",
    is_idor_probe=1, "IDOR_CERT_ENUMERATION",
    true(), "SUSPICIOUS_LEMUR_API"
  )
| where is_acme_ssrf=1 OR is_metadata_ssrf=1 OR is_idor_probe=1
| stats count as request_count, values(alert_type) as alert_types, values(uri) as uris, dc(uri) as distinct_uris by src_ip, _time span=5m
| where request_count > 5 OR mvfind(alert_types, "SSRF_CLOUD_METADATA") >= 0
| eval risk_score=case(
    mvfind(alert_types, "SSRF_CLOUD_METADATA") >= 0, 95,
    mvfind(alert_types, "SSRF_ACME_CALLBACK") >= 0, 75,
    true(), 60
  )
| sort - risk_score
| table _time, src_ip, alert_types, request_count, distinct_uris, uris, risk_score

Identifies Lemur CVE-2026-55166 exploitation via ACME SSRF callbacks targeting cloud metadata services and IDOR enumeration of certificate IDs, scored by attack phase severity.

critical severity high confidence

Data Sources

Web/Proxy Logs Application Logs Load Balancer Logs

Required Sourcetypes

access_combined iis nginx haproxy_http json_web

False Positives

Automated ACME renewal bots with internal validation endpoints
Security scanners performing authorized vulnerability assessments
Certificate lifecycle management tools with high API call volume
Load balancer health checks against Lemur API endpoints

Elastic Security (EQL)

eql

sequence by source.ip with maxspan=10m
  [
    http where
      url.path like~ "/api/v1/*" and
      (
        url.path like~ "*acme*" or
        url.path like~ "*challenge*" or
        url.path like~ "*validation*"
      ) and
      (
        url.query like~ "*url=*" or
        url.query like~ "*callback*"
      )
  ] by source.ip
  [
    http where
      (
        url.path like~ "*169.254.169.254*" or
        url.path like~ "*169.254.169.253*" or
        url.query like~ "*169.254.169.254*" or
        url.query like~ "*metadata.google*" or
        url.query like~ "*fd00:ec2*"
      ) or
      (
        network.direction == "egress" and
        destination.ip == "169.254.254.169"
      )
  ] by source.ip

EQL sequence correlation: detects an ACME challenge/callback request from a source IP followed within 10 minutes by a request or outbound connection to a cloud metadata endpoint, indicating successful SSRF chain.

critical severity medium confidence

Data Sources

Elastic APM Packetbeat Filebeat (web logs) Auditbeat

Required Tables

logs-* packetbeat-* filebeat-*

False Positives

Legitimate ACME HTTP-01 validation where challenge server resolves to internal range
Split-horizon DNS configurations that resolve metadata-like hostnames internally
Authorized red team exercises simulating SSRF chains
Misconfigured certificate plugins using internal callback URLs

IBM QRadar (AQL)

sql

SELECT
  sourceip,
  "URL" as request_url,
  username,
  starttime,
  CATEGORYDESCRIPTION(category) as event_category,
  CASE
    WHEN "URL" ILIKE '%169.254.169.254%' OR "URL" ILIKE '%fd00:ec2%' THEN 'CLOUD_METADATA_SSRF'
    WHEN "URL" ILIKE '%acme%' AND "URL" ILIKE '%url=%' THEN 'ACME_CALLBACK_SSRF'
    WHEN "URL" ILIKE '/api/v1/certificates/%' AND "METHOD" IN ('PUT','DELETE','GET') THEN 'IDOR_CERT_ACCESS'
    ELSE 'SUSPICIOUS'
  END as attack_phase,
  COUNT(*) as event_count
FROM events
WHERE
  devicetype IN (10, 15, 18, 105)
  AND (
    ("URL" ILIKE '/api/v1/certificates%' OR "URL" ILIKE '/api/v1/authorities%' OR "URL" ILIKE '/api/v1/pending_certificates%')
    AND (
      "URL" ILIKE '%acme%'
      OR "URL" ILIKE '%169.254.169.254%'
      OR "URL" ILIKE '%challenge%'
      OR ("URL" ILIKE '/api/v1/certificates/%' AND REGEXP_MATCH("URL", '/api/v1/certificates/[0-9]+'))
    )
  )
  AND LOGSOURCETYPENAME(devicetype) NOT IN ('IBM Security AppScan', 'Tenable')
GROUP BY sourceip, "URL", username, starttime, event_category, attack_phase
HAVING COUNT(*) > 3
ORDER BY event_count DESC
LAST 1 HOURS

QRadar AQL query correlating Lemur API access patterns consistent with SSRF exploitation via ACME callbacks and IDOR certificate enumeration, grouped by source IP and attack phase.

critical severity medium confidence

Data Sources

QRadar Web Application Firewall DSM Apache/Nginx Log Source Network Activity Logs

Required Tables

events

False Positives

Authorized vulnerability scanners (AppScan, Tenable) excluded via logsource filter
ACME bot certificate renewals with legitimate callback URLs
Bulk certificate operations by privileged service accounts
Monitoring systems performing Lemur API health checks

Sumo Logic CSE

sql

_sourceCategory=web/access OR _sourceCategory=nginx OR _sourceCategory=haproxy
| parse "* * * [*] \"* * *\" * *" as src_ip, ident, user, time, method, uri, protocol, status, bytes nodrop
| if (isEmpty(uri), url, uri) as request_uri
| where request_uri matches "/api/v1/*"
| where (
    (request_uri matches "*acme*" or request_uri matches "*challenge*" or request_uri matches "*validation*")
    or request_uri matches "*169.254.169.254*"
    or (method in ("GET","PUT","DELETE") and request_uri matches "/api/v1/certificates/*")
  )
| eval attack_indicator = if(request_uri matches "*169.254.169.254*", "METADATA_SSRF",
    if(request_uri matches "*acme*" and request_uri matches "*url=*", "ACME_SSRF",
    if(request_uri matches "/api/v1/certificates/[0-9]*", "IDOR_ENUM", "UNKNOWN")))
| timeslice 5m
| stats count as hits, values(request_uri) as uris, values(attack_indicator) as indicators by src_ip, _timeslice
| where hits > 3 or indicators matches "*METADATA_SSRF*"
| sort by hits desc

Sumo Logic query detecting Lemur exploitation patterns including ACME SSRF callback abuse, cloud metadata endpoint probing, and certificate IDOR enumeration from web access logs.

critical severity medium confidence

Data Sources

Web Access Logs Nginx Logs HAProxy Logs Application Logs

Required Tables

_sourceCategory=web/access _sourceCategory=nginx

False Positives

Automated certificate management tools performing high-volume API operations
Internal monitoring probing Lemur API endpoints for availability
Authorized security testing generating ACME validation traffic
Multi-tenant environments where different teams manage shared certificates

Google Chronicle / SecOps

yaral

rule cve_2026_55166_lemur_ssrf_idor {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-55166 Lemur ACME SSRF and IDOR exploitation"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/Netflix/lemur/security/advisories/GHSA-v2wp-frmc-5q3v"
    yara_version = "YL2.0"
    rule_version = "1.0"

  events:
    (
      $e.metadata.event_type = "NETWORK_HTTP"
      and (
        re.regex($e.network.http.request_url, `/api/v1/(certificates|authorities|pending_certificates)`)
      )
      and (
        (
          re.regex($e.network.http.request_url, `(acme|challenge|validation)`) and
          re.regex($e.network.http.request_url, `url=`)
        ) or
        re.regex($e.network.http.request_url, `169\.254\.169\.254`) or
        re.regex($e.network.http.request_url, `fd00:ec2`) or
        re.regex($e.network.http.request_url, `metadata\.google\.internal`)
      )
    )
    and $e.principal.ip != ""

  match:
    $e.principal.ip over 10m

  outcome:
    $risk_score = max(
      if(re.regex($e.network.http.request_url, `169\.254\.169\.254`), 95, 0) +
      if(re.regex($e.network.http.request_url, `acme.*url=`), 75, 0)
    )
    $src_ip = array_distinct($e.principal.ip)
    $request_urls = array_distinct($e.network.http.request_url)
    $usernames = array_distinct($e.principal.user.userid)

  condition:
    #e > 1
}

Chronicle YARA-L 2.0 rule detecting Lemur SSRF exploitation via ACME URL callback manipulation targeting cloud metadata endpoints, with risk scoring based on attack severity.

critical severity high confidence

Data Sources

Chronicle UDM HTTP Events Web Proxy Logs WAF Events

Required Tables

udm_events

False Positives

ACME certificate automation tools with internal URL validation callbacks
Authorized red team simulations generating SSRF payloads
Legitimate Lemur integrations that reference internal network ranges in configuration
Security scanners that probe SSRF via known CVE patterns

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN ("NetworkConnectIP4", "ProcessRollup2", "ScriptControlScanTelemetry")
| where
  (
    event_simpleName = "NetworkConnectIP4" and
    (
      RemoteIP IN ("169.254.169.254", "169.254.169.253") or
      RemotePort IN (80, 8080, 443) and
      (
        RemoteIP startswith "169.254."
      )
    )
  ) or
  (
    event_simpleName = "ProcessRollup2" and
    (
      CommandLine matches regex "(curl|wget|python|requests).*169\.254\.169\.254" or
      CommandLine matches regex "(curl|wget).*lemur.*api.*(certificate|authority)" or
      CommandLine matches regex "acme.*--url.*http://(127\.|10\.|192\.168\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[01]\.)"
    )
  )
| eval attack_type = case(
    RemoteIP = "169.254.169.254", "AWS_METADATA_SSRF",
    CommandLine matches regex "acme.*--url", "ACME_SSRF_CLI",
    CommandLine matches regex "certificate.*[0-9]+", "IDOR_CERT_ENUM",
    true(), "SUSPICIOUS_LEMUR_ACTIVITY"
  )
| stats count() as event_count, values(CommandLine) as commands, values(RemoteIP) as remote_ips by aid, ComputerName, UserName, attack_type
| where event_count > 0
| sort - event_count

CrowdStrike Falcon query detecting network connections to cloud metadata endpoints and process executions consistent with Lemur SSRF exploitation or IDOR certificate enumeration via CLI tools.

critical severity medium confidence

Data Sources

CrowdStrike Falcon EDR Network Connection Events Process Events

Required Tables

ProcessRollup2 NetworkConnectIP4 ScriptControlScanTelemetry

False Positives

Legitimate AWS SDK calls from Lemur host reaching IMDS for IAM role credentials
Authorized internal tooling using curl/wget for certificate API testing
Cloud-native health check scripts that access instance metadata
Security tooling performing SSRF discovery as part of authorized pentests

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-55166 CVE-2026-55166: Lemur ACME SSRF and IDOR Leading to AWS IAM/PKI Compromise?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-55166

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox