CVE-2024-1643
CRITICALlunary-ai/lunary < 1.2.2 - Unauthenticated Organization Join and Data Access via Insufficient Permission Verification
Title source: llmDescription
By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. This vulnerability allows unauthorized access and modification of sensitive information, posing a significant security risk. The flaw is due to insufficient verification of user permissions when joining an organization.
References (3)
Core 3
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/ce2563a2-3d81-4e2e-954e-abecb9332416
Various Sources
https://github.com/lunary-ai/lunary/compare/v1.2.1...v1.2.2
Scores
CVSS v3
9.1
EPSS
0.0068
EPSS Percentile
47.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-200
Status
published
Products (1)
lunary-ai/lunary-ai/lunary
unspecified - 1.2.2
Published
Apr 10, 2024
Tracked Since
Feb 18, 2026