CVE-2024-1738

HIGH

lunary < 1.2.4 - Unauthenticated Incorrect Authorization in Evaluations API Endpoint

Title source: llm

Description

An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL query. As a result, attackers can gain access to potentially private data contained within the evaluation results.

References (2)

Core 2

Core References

Patch

https://github.com/lunary-ai/lunary/commit/a4e61122e61dc31460cfbe54d15fae389cc440ce

Exploit, Issue Tracking, Patch, Third Party Advisory

https://huntr.com/bounties/f68ef361-7a5d-4272-9c2f-414baf074309

Scores

CVSS v3 7.5

EPSS 0.0055

EPSS Percentile 41.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (1)

lunary/lunary < 1.2.4

Published Apr 16, 2024

Tracked Since Feb 18, 2026