CVE-2024-4146

CRITICAL

lunary < 1.2.26 - Incorrect Authorization in checkProjectAccess Method

Title source: llm

Description

In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the `account_project` table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information.

References (2)

Core 2

Core References

Patch

https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7

Exploit, Issue Tracking

https://huntr.com/bounties/a749e696-b398-4260-b2d0-b0054b9fffa7

Scores

CVSS v3 9.8

EPSS 0.0015

EPSS Percentile 35.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-863

Status published

Products (2)

lunary/lunary 1.2.13

npm/lunary 0 - 1.2.26npm

Published Jun 08, 2024

Tracked Since Feb 18, 2026