CVE-2024-4147

Medium CVSS: 6.5

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user's project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies.

Vendor

Lunary

Product

Lunary

CWE

CWE-1220

Yayın Tarihi

2026-02-02 11:16:16

Güncelleme

2026-02-11 21:14:06

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-1220 Lunary MEDIUM Lunary 2026

Referanslar

https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f https://huntr.com/bounties/3f051943-71ea-414c-a528-cd8b5d82a7ad

Benzer Kayıtlar

High

CVE-2024-5386

In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user…

High

CVE-2025-9803

lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth…

Critical

CVE-2025-5352

A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary version…

Medium

CVE-2025-4779

lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attack…

Medium

CVE-2025-0281

A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. An attacker can…

High

CVE-2024-9099

In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all pro…