Description
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated.
References (2)
Core 2
Core References
Issue Tracking, Patch, Third Party Advisory
https://huntr.com/bounties/8fdfdb9d-10bd-4f00-8004-d5baabc20c6e
Scores
CVSS v3
8.1
EPSS
0.0040
EPSS Percentile
31.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-922
Status
published
Products (1)
lunary/lunary
< 1.2.6
Published
Nov 14, 2024
Tracked Since
Feb 18, 2026