CVE-2024-6087

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary versions prior to commit 844e8855c7a713dc7371766dba4125de4007b1cf

Description: An improper access control issue exists, allowing attackers to use auth tokens from the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover.

Recommendations: For versions prior to commit 844e8855c7a713dc7371766dba4125de4007b1cf, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the use of the 'invite user' functionality until a patch is available. Avoid using the auth tokens issued by this functionality to minimize the risk of exploitation.