CVE-2024-3501

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions up to and including 1.2.5

Description An information disclosure issue exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user.

Recommendations For lunary-ai/lunary versions up to and including 1.2.5, update to version 1.2.6 to mitigate the exposure of single-use tokens in user-facing queries. As a temporary workaround, consider restricting access to the GET /v1/users/me and GET /v1/users/me/org API endpoints until the update is applied.