Detect CVE-2026-55166: Lemur ACME SSRF and IDOR Leading to AWS IAM/PKI Compromise in Splunk
Detects exploitation of CVE-2026-55166 in Netflix Lemur (versions < 1.9.2), which combines an ACME protocol Server-Side Request Forgery (CWE-918) with a creator-equality Insecure Direct Object Reference (CWE-639/CWE-285). Successful exploitation allows an attacker to pivot from certificate management to AWS IAM credential theft and PKI infrastructure compromise. PoC is publicly available.
MITRE ATT&CK
SPL Detection Query
index=web OR index=proxy OR index=app sourcetype IN (access_combined, iis, nginx, haproxy_http, json_web)
| eval uri=coalesce(uri, cs_uri_stem, request_url, url)
| eval src_ip=coalesce(src_ip, c_ip, clientip, X_Forwarded_For)
| eval method=coalesce(method, cs_method, http_method)
| where match(uri, "/api/v1/(certificates|authorities|pending_certificates)")
| eval is_acme_ssrf=if(match(uri, "(acme|challenge|validation)") AND match(uri, "url="), 1, 0)
| eval is_metadata_ssrf=if(match(uri, "(169\.254\.169\.254|169\.254\.169\.253|fd00:ec2|metadata\.google|metadata\.internal)"), 1, 0)
| eval is_idor_probe=if(method IN ("GET","PUT","DELETE") AND match(uri, "/certificates/[0-9]+"), 1, 0)
| eval alert_type=case(
is_metadata_ssrf=1, "SSRF_CLOUD_METADATA",
is_acme_ssrf=1, "SSRF_ACME_CALLBACK",
is_idor_probe=1, "IDOR_CERT_ENUMERATION",
true(), "SUSPICIOUS_LEMUR_API"
)
| where is_acme_ssrf=1 OR is_metadata_ssrf=1 OR is_idor_probe=1
| stats count as request_count, values(alert_type) as alert_types, values(uri) as uris, dc(uri) as distinct_uris by src_ip, _time span=5m
| where request_count > 5 OR mvfind(alert_types, "SSRF_CLOUD_METADATA") >= 0
| eval risk_score=case(
mvfind(alert_types, "SSRF_CLOUD_METADATA") >= 0, 95,
mvfind(alert_types, "SSRF_ACME_CALLBACK") >= 0, 75,
true(), 60
)
| sort - risk_score
| table _time, src_ip, alert_types, request_count, distinct_uris, uris, risk_scoreIdentifies Lemur CVE-2026-55166 exploitation via ACME SSRF callbacks targeting cloud metadata services and IDOR enumeration of certificate IDs, scored by attack phase severity.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Automated ACME renewal bots with internal validation endpoints
- Security scanners performing authorized vulnerability assessments
- Certificate lifecycle management tools with high API call volume
- Load balancer health checks against Lemur API endpoints
Other platforms for CVE-2026-55166
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-55166 ACME SSRF via HTTP-01 Challenge URL Injection
Expected signal: Outbound HTTP GET to 169.254.169.254 from Lemur process; web log entry for POST /api/v1/certificates with pluginOptions containing acme_challenge_url
- Test 2CVE-2026-55166 IDOR Certificate Enumeration via Sequential ID Access
Expected signal: 200 HTTP responses to GET /api/v1/certificates/[1-200] from a single source IP; Lemur audit log entries for cross-user certificate access
- Test 3CVE-2026-55166 Chained SSRF + IDOR for AWS IAM Credential Harvest
Expected signal: Sequential GET requests to /api/v1/authorities/[1-50]; POST to /api/v1/certificates with IMDS URL in pluginOptions; outbound TCP connection from Lemur process to 169.254.169.254:80
Unlock Pro Content
Get the full detection package for CVE-2026-55166 including response playbook, investigation guide, and atomic red team tests.