CVE-2024-10762
HIGHlunary < 1.5.9 - Missing Authorization for Evaluator Deletion via /v1/evaluators/ Endpoint
Title source: llmDescription
In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluators data, causing permanent data loss and potentially hindering operations.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/23ab508e-d956-4861-b28f-0569d3b404a6
Scores
CVSS v3
8.1
EPSS
0.0051
EPSS Percentile
39.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
lunary/lunary
< 1.5.9
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026