CVE-2024-4151

HIGH

Lunary < 1.2.25 - IDOR

Title source: rule

Description

An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to manipulate or access sensitive project data, potentially leading to data integrity and confidentiality issues.

References (2)

Core 2

Core References

Exploit, Issue Tracking, Patch, Third Party Advisory

https://huntr.com/bounties/4acfef85-dedf-43bd-8438-0d8aaa4ffa01

Patch

https://github.com/lunary-ai/lunary/commit/ddfd497afd017a6946c582a1a806687fdac888bf

Scores

CVSS v3 8.1

EPSS 0.0013

EPSS Percentile 31.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (1)

lunary/lunary < 1.2.25

Published May 20, 2024

Tracked Since Feb 18, 2026