Description
A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/{id}/versions endpoint. This issue is resolved in version 1.4.3.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/183761f7-d411-4332-af86-2ccfbcc5bd9f
Scores
CVSS v3
4.3
EPSS
0.0023
EPSS Percentile
45.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (1)
lunary/lunary
1.2.7 - 1.4.3
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026