CVE-2024-9096

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.4.28

Description The issue allows low-privilege users to modify checklists by sending a PATCH request to the /checklists/:id route due to a lack of proper access control. This enables any user associated with the project to modify checklists, including changing the slug or data fields, which can lead to tampering with essential project workflows, altering business logic, and introducing errors that undermine integrity.

Recommendations For version 1.4.28, consider implementing proper access control middleware to ensure that only authorized users, such as project owners or admins, can modify checklist data. As a temporary workaround, restrict access to the /checklists/:id route to minimize the risk of exploitation.