lunary-ai/lunary
Moderate fix1 remedy
cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*
Moderate fix1 remedy
- 1.5.8
Lunary AI Missing Authorization Vulnerability in Evaluators Deletion Endpoint
Vulnerability
Patched
A vulnerability exists in Lunary AI versions prior to 1.5.9, where the /v1/evaluators/ endpoint allows users to delete evaluators from a project without proper access control. This lack of middleware verification enables low-privilege users to remove evaluator data, leading to permanent data loss and potential disruption of operations, such as breaking a CI pipeline that relies on the deleted evaluator.
Impact
This vulnerability allows low-privilege users to delete evaluator data, causing permanent data loss and potentially disrupting operations that depend on the deleted resources.
Reproduction
To reproduce this vulnerability, log in as a user with 'billing' role, which does not have access to evaluation data. Copy the access token and send a DELETE request to the /v1/evaluators/ endpoint, including the evaluator ID and the authorization token in the request headers.
Remediation
Users can update to Lunary AI version 1.5.9 or later, where this vulnerability has been fixed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
2.5exploitability
4.6remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.