lunary-ai/lunary
Moderate fix1 remedy
cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*
Moderate fix1 remedy
- >= 1.2.2, < 1.4.9
lunary-ai lunary Broken Access Control Vulnerability
Vulnerability
Patched
A broken access control vulnerability has been identified in lunary-ai/lunary, allowing unauthorized users to access the content of any dataset. This issue arises because the application does not properly validate authorization tokens before granting access to dataset information. Exploitation can be achieved by sending a GET request to the /v1/datasets endpoint without a valid authorization token.
Impact
Exploitation of this vulnerability allows unauthorized users to view the contents of any dataset, including sensitive information such as messages and dataset details, without proper authorization.
Reproduction
To reproduce this vulnerability, send a GET request to the /v1/datasets endpoint without an authorization token. The response will include the content of the dataset, demonstrating that access control is not properly enforced.
Remediation
Users are advised to update to version 1.4.9 or later, where this vulnerability has been fixed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
2.5exploitability
6.0remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.