Description
A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion has the appropriate permissions. This allows unauthorized users to send a DELETE request to the server and delete any dataset by specifying its ID. The issue is located in the datasets.delete function within the datasets index file.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory
https://huntr.com/bounties/a6c0deb3-6a4c-4188-8aaa-9e6207f82f44
Scores
CVSS v3
8.2
EPSS
0.0045
EPSS Percentile
36.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
lunary/lunary
< 1.2.8
Published
Jun 06, 2024
Tracked Since
Feb 18, 2026