CVE-2024-10273

MEDIUM

lunary-ai/lunary v1.5.0 - Privilege Escalation

Title source: llm

Description

In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models owned by others. The PATCH endpoint for models does not have appropriate privilege checks, enabling low-privilege users to update models they should not have access to modify. This vulnerability could lead to unauthorized changes in critical resources, affecting the integrity and reliability of the system.

References (2)

Core 2

Core References

Patch

https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc

Exploit, Third Party Advisory

https://huntr.com/bounties/883d9fe2-5730-41e1-a5c2-59972489876e

Scores

CVSS v3 6.5

EPSS 0.0040

EPSS Percentile 31.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (1)

lunary/lunary < 1.5.7

Published Mar 20, 2025

Tracked Since Feb 18, 2026