Primary

Context

Lunary IDOR Vulnerability in Score Update Endpoint

Vulnerability

Patched

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Lunary version 1.6.0. This issue arises in the PATCH /v1/runs/:id/score endpoint, where the id parameter can be manipulated to update the score data of any run. The endpoint fails to properly validate whether the authenticated user has the right to modify the specified runId, allowing users with valid accounts to alter other users' run scores by changing the id value in the request URL. This vulnerability was addressed in version 1.6.1.

Impact

Exploitation of this vulnerability allows users to unauthorizedly modify the score data of runs belonging to other users.

Remediation

Users can upgrade to Lunary version 1.6.1 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

3.5

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

3.5

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Lunary IDOR Vulnerability in Score Update Endpoint

Vulnerability

Impact

Remediation

Affected Products

lunary-ai/lunary

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating