CVE-2024-1741

CRITICAL

lunary < 1.2.8 - Unauthenticated Improper Authorization via Old Authorization Token

Title source: llm

Description

lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on prompt templates by sending HTTP requests with their previously captured authorization token. This issue exposes organizations to unauthorized access and manipulation of sensitive template data.

References (2)

Core 2

Core References

Patch

https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2

Exploit, Issue Tracking, Patch, Third Party Advisory

https://huntr.com/bounties/671bd040-1cc5-4227-8182-5904e9c5ed3b

Scores

CVSS v3 9.1

EPSS 0.0059

EPSS Percentile 43.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-863

Status published

Products (1)

lunary/lunary < 1.2.8

Published Apr 10, 2024

Tracked Since Feb 18, 2026