Description
In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory
https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f
Scores
CVSS v3
6.5
EPSS
0.0011
EPSS Percentile
28.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (1)
lunary/lunary
< 1.2.26
Published
May 21, 2024
Tracked Since
Feb 18, 2026