Lunary Improper Authorization Vulnerability Allowing Unauthorized Access to Sensitive User Information

A vulnerability exists in Lunary AI's application, specifically in version 1.5.5, due to improper authorization on the '/users/me/org' endpoint. This lack of adequate access control enables unauthorized users to retrieve sensitive information about all team members within the current organization. The exposed data may include names, roles, and email addresses, leading to privacy violations and potential reconnaissance for targeted attacks.

Impact

Exploitation of this vulnerability could result in unauthorized disclosure of sensitive information, including names, roles, and email addresses of team members, creating privacy concerns and opportunities for targeted attacks.

Reproduction

To reproduce this vulnerability, send a request to the '/users/me/org' endpoint without the necessary authorization. The response will include sensitive information about all team members in the organization, despite lacking sufficient privileges to access such data.

Remediation

Users can update to Lunary version 1.5.6, where this vulnerability has been addressed.