PT-2025-12258 · Unknown · Lunary-Ai/Lunary

Published

2025-03-20

Updated

2025-03-22

CVE-2024-8999

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version v1.4.25

Description The issue is an improper access control vulnerability in the "POST /api/v1/data-warehouse/bigquery" endpoint. This allows any user to export the entire database data by creating a stream to Google BigQuery without proper authentication or authorization.

Recommendations For lunary-ai/lunary version v1.4.25, update to version 1.4.26 to resolve the issue. As a temporary workaround, consider restricting access to the "POST /api/v1/data-warehouse/bigquery" endpoint until the update is applied.

Exploit

Fix

Improper Access Control

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-862

Related Identifiers

CVE-2024-8999

Affected Products

Lunary-Ai/Lunary

PT-2025-12258 · Unknown · Lunary-Ai/Lunary

CVE-2024-8999

Weakness Enumeration

Related Identifiers

Affected Products

References · 5