CVE-2024-3504

MEDIUM

lunary-ai/lunary <1.2.7 - Privilege Escalation

Title source: llm

Description

An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.

References (2)

Core 2

Core References

Patch

https://github.com/lunary-ai/lunary/commit/f7507f0949f6634f725ebb8da37c44f76542901f

Exploit, Third Party Advisory

https://huntr.com/bounties/97958fe4-be21-4b63-966f-8337c72c8e28

Scores

CVSS v3 6.5

EPSS 0.0049

EPSS Percentile 38.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (1)

lunary/lunary < 1.2.7

Published Jun 06, 2024

Tracked Since Feb 18, 2026