CVE-2024-1740

CRITICAL

lunary < 1.2.7 - Incorrect Authorization via Uninvalidated Authorization Token

Title source: llm

Description

In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal from the organization. This allows the removed user to perform unauthorized actions on logs and access project and external user details without valid permissions.

References (2)

Core 2

Core References

Patch

https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54

Exploit, Issue Tracking, Patch, Third Party Advisory

https://huntr.com/bounties/c1a51f71-628e-4eb5-ac35-50bf64832cfd

Scores

CVSS v3 9.1

EPSS 0.0064

EPSS Percentile 45.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (1)

lunary/lunary < 1.2.7

Published Apr 10, 2024

Tracked Since Feb 18, 2026