CVE-2024-1741

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.0.1

Description The issue allows removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on prompt templates by sending HTTP requests with their previously captured authorization token. This exposes organizations to unauthorized access and manipulation of sensitive template data.

Recommendations For lunary-ai/lunary version 1.0.1, consider disabling the use of old authorization tokens to prevent removed members from accessing prompt templates until a patch is available. Restrict access to prompt template operations to minimize the risk of exploitation. Avoid using previously captured authorization tokens in HTTP requests to the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.