CVE-2024-6867

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions up to 1.4.9

Description An information disclosure issue exists in the runs/{run id}/related endpoint, which does not verify user access rights to the run(s) being accessed. This allows unauthorized users to obtain information about non-public runs and their related runs, given the run id of a public or non-public run.

Recommendations For versions up to 1.4.9, upgrade lunary-ai to mitigate the threat. As a temporary workaround, consider restricting access to the runs/{run id}/related endpoint until a patch is available. Avoid using the run id parameter in the affected endpoint to minimize the risk of exploitation.