CVE-2024-9098

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions prior to 1.4.30

Description The issue arises from the user creation endpoint not restricting administrators from inviting users with billing roles, allowing them to gain unauthorized access to billing resources. This poses a risk to the organization's financial resources as administrators can circumvent the intended access control.

Recommendations For versions prior to 1.4.30, update to version 1.4.30 or later to resolve the issue. As a temporary workaround, consider restricting access to the user creation endpoint to prevent administrators from inviting users with billing roles.