Volerion logoVolerion
Volerion logoVolerion

Lunary Privilege Escalation Vulnerability Allowing Unauthorized Access to Sensitive Endpoints

Vulnerability

A vulnerability exists in the Lunary AI project, specifically in version afc5df4, due to a flawed privilege check mechanism. The system mistakenly identifies certain endpoints as public if the path includes '/auth/'. This flaw enables unauthenticated attackers to access sensitive endpoints by simply incorporating '/auth/' in the path. Consequently, attackers could obtain and modify sensitive data and misuse resources from other organizations without proper authentication.

Impact

Exploitation of this vulnerability allows unauthorized access to sensitive endpoints, enabling attackers to read and modify confidential data and misuse resources from other organizations.

Reproduction

The vulnerability can be reproduced by sending a request to an endpoint that includes '/auth/' in the path. The system will incorrectly grant access to the endpoint, bypassing authentication requirements.

Remediation

Users are advised to update to the latest version of Lunary AI, where this vulnerability has been addressed.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
3.1
exploitability
5.7
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.