CVE-2024-10274

MEDIUM

lunary-ai/lunary <1.5.5 - Info Disclosure

Title source: llm

Description

An improper authorization vulnerability exists in lunary-ai/lunary version 1.5.5. The /users/me/org endpoint lacks adequate access control mechanisms, allowing unauthorized users to access sensitive information about all team members in the current organization. This vulnerability can lead to the disclosure of sensitive information such as names, roles, or emails to users without sufficient privileges, resulting in privacy violations and potential reconnaissance for targeted attacks.

References (2)

Core 2

Core References

Patch

https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc

Exploit, Third Party Advisory

https://huntr.com/bounties/506459c1-da60-45c5-a10d-8bd540a4b4c1

Scores

CVSS v3 6.5

EPSS 0.0050

EPSS Percentile 38.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

lunary/lunary < 1.5.7

Published Mar 20, 2025

Tracked Since Feb 18, 2026