Lunary AI Lunary Insufficient Access Control Vulnerability Allowing Unauthorized Prompt Deletion

A vulnerability in Lunary AI's Lunary application, specifically in version 1.2.13, allows users to delete prompts from other organizations by manipulating prompt IDs. This issue arises from the application's inadequate validation of prompt ownership before deletion, as it only checks if the user has the right to delete prompts without confirming if they belong to the user's organization or project. Consequently, users can remove prompts not owned by their organization, leading to access issues for legitimate users and causing inconsistencies in information.

Impact

Exploitation of this vulnerability allows users to delete prompts from other organizations, disrupting access for legitimate users and creating information inconsistencies.

Reproduction

To reproduce this vulnerability, log in as a user from one organization and then log in as a user from another organization in a private browser session. After adding a prompt in the first organization's account, intercept the request to delete the prompt. Replace the access token with one from the second organization and send the request without the project ID parameter. The prompt will be deleted, and a subsequent request will confirm its removal.

Remediation

Users are advised to update to Lunary version 1.2.25, where this vulnerability has been fixed.