CVE-2024-5127

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions 1.2.2 through 1.2.25

Description The issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a project and potentially exploit roles and permissions not intended for their use. This specifically affects the Team feature, where the backend fails to validate whether a user has paid for a plan before allowing them to send invite links with any role assigned. This could lead to unauthorized access and manipulation of project settings or data.

Recommendations For versions 1.2.2 through 1.2.25, as a temporary workaround, consider disabling the Team feature until a patch is available. Restrict access to the Team feature to minimize the risk of exploitation. Avoid using the role assignment feature in the Team feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.