CVE-2024-6086

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version 1.2.7

Description: The issue allows any authenticated user to change the name of an organization due to improper access control. This is because the checkAccess() function is not implemented, enabling users with low privileges, such as the Prompt Editor role, to modify organization attributes without proper authorization.

Recommendations: For version 1.2.7, consider disabling the checkAccess() function temporarily, or restrict the modification of organization attributes to only authorized users until a proper fix is implemented. Additionally, review and implement proper access control mechanisms to prevent unauthorized modifications.