CVE-2026-55166 Elastic Security · Elastic

Detect CVE-2026-55166: Lemur ACME SSRF and IDOR Leading to AWS IAM/PKI Compromise in Elastic Security

Detects exploitation of CVE-2026-55166 in Netflix Lemur (versions < 1.9.2), which combines an ACME protocol Server-Side Request Forgery (CWE-918) with a creator-equality Insecure Direct Object Reference (CWE-639/CWE-285). Successful exploitation allows an attacker to pivot from certificate management to AWS IAM credential theft and PKI infrastructure compromise. PoC is publicly available.

MITRE ATT&CK

Tactic
Initial Access Credential Access Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=10m
  [
    http where
      url.path like~ "/api/v1/*" and
      (
        url.path like~ "*acme*" or
        url.path like~ "*challenge*" or
        url.path like~ "*validation*"
      ) and
      (
        url.query like~ "*url=*" or
        url.query like~ "*callback*"
      )
  ] by source.ip
  [
    http where
      (
        url.path like~ "*169.254.169.254*" or
        url.path like~ "*169.254.169.253*" or
        url.query like~ "*169.254.169.254*" or
        url.query like~ "*metadata.google*" or
        url.query like~ "*fd00:ec2*"
      ) or
      (
        network.direction == "egress" and
        destination.ip == "169.254.254.169"
      )
  ] by source.ip
critical severity medium confidence

EQL sequence correlation: detects an ACME challenge/callback request from a source IP followed within 10 minutes by a request or outbound connection to a cloud metadata endpoint, indicating successful SSRF chain.

Data Sources

Elastic APMPacketbeatFilebeat (web logs)Auditbeat

Required Tables

logs-*packetbeat-*filebeat-*

False Positives & Tuning

  • Legitimate ACME HTTP-01 validation where challenge server resolves to internal range
  • Split-horizon DNS configurations that resolve metadata-like hostnames internally
  • Authorized red team exercises simulating SSRF chains
  • Misconfigured certificate plugins using internal callback URLs

Other platforms for CVE-2026-55166

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-55166 ACME SSRF via HTTP-01 Challenge URL Injection

    Expected signal: Outbound HTTP GET to 169.254.169.254 from Lemur process; web log entry for POST /api/v1/certificates with pluginOptions containing acme_challenge_url

  2. Test 2CVE-2026-55166 IDOR Certificate Enumeration via Sequential ID Access

    Expected signal: 200 HTTP responses to GET /api/v1/certificates/[1-200] from a single source IP; Lemur audit log entries for cross-user certificate access

  3. Test 3CVE-2026-55166 Chained SSRF + IDOR for AWS IAM Credential Harvest

    Expected signal: Sequential GET requests to /api/v1/authorities/[1-50]; POST to /api/v1/certificates with IMDS URL in pluginOptions; outbound TCP connection from Lemur process to 169.254.169.254:80

Last updated: 2026-06-26 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-55166 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential AccessTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1552.005Cloud Instance Metadata APIT1550.001Application Access TokenT1083File and Directory Discovery

Same Tactic: Initial Access

Popular Detections