PT-2024-26295 · Lunary Ai · Lunary
Published
2024-06-06
·
Updated
2025-10-15
·
CVE-2024-3504
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
lunary-ai/lunary versions up to and including 1.2.2
Description
An improper access control issue exists, allowing an admin to update any organization user to the organization owner. This enables the elevated user to delete projects within the organization.
Recommendations
For versions up to and including 1.2.2, update to version 1.2.7 to resolve the issue. As a temporary workaround, consider restricting the ability of admins to update user roles until the update can be applied.
Exploit
Fix
Incorrect Authorization
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Lunary