CVE-2024-1666

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.0.0

Description The issue is related to an authorization flaw that allows unauthorized radar creation. This flaw stems from the lack of server-side checks to verify if a user is on a free account during the radar creation process, which is only enforced in the web UI. As a result, attackers can bypass the intended account upgrade requirement by directly sending crafted requests to the server, enabling the creation of an unlimited number of radars without payment.

Recommendations For lunary-ai/lunary version 1.0.0, consider disabling the radar creation feature until a patch is available to prevent unauthorized radar creation. Restrict access to the server-side radar creation API to minimize the risk of exploitation. Avoid using the radar creation process directly; instead, use the web UI, which enforces account checks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.