CVE-2024-5132

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.2.2

Description A business logic error in lunary-ai/lunary allows users to bypass the intended limitations on team member invitations and additions, regardless of their subscription plan. This is due to the lack of validation of SEAT ALLOWANCE constants during invitation processes.

Recommendations For lunary-ai/lunary version 1.2.2, consider restricting the use of team member invitation features until a patch is available to prevent exploitation of the business logic error. Additionally, review and validate the SEAT ALLOWANCE constants to ensure proper enforcement of team member limits according to subscription plans. At the moment, there is no information about a newer version that contains a fix for this vulnerability.