CVE-2025-9803

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary versions prior to 1.9.35

Description The application is susceptible to account takeover due to flawed authentication within the Google OAuth integration. Specifically, the application does not validate the aud (audience) field present in the access token provided by Google. The aud field confirms the intended recipient of the token, and its absence of verification allows attackers to leverage tokens issued to malicious applications to gain unauthorized access to user accounts. The vulnerable component is the Google OAuth integration process.

Recommendations lunary-ai/lunary versions prior to 1.9.35 should be updated to version 1.9.35 or later.