CVE-2024-9099

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version v1.4.29

Description The GET "/projects" API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This issue allows unauthorized users to retrieve sensitive credentials, which can be used to perform actions on behalf of the project, access private data, and delete resources. The private API keys are exposed in the developer tools when the endpoint is called from the frontend.

Recommendations For version v1.4.29, consider restricting access to the GET "/projects" API endpoint to prevent unauthorized users from retrieving sensitive credentials. As a temporary workaround, restrict the use of the developer tools to minimize the risk of exploitation. Avoid using the API endpoint from the frontend until the issue is resolved.