lunary-ai/lunary
Moderate fix1 remedy
cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*
Moderate fix1 remedy
- 1.4.28
Lunary Improper Authorization Vulnerability in Checklist Modification
Vulnerability
Patched
A vulnerability exists in Lunary version 1.4.28, where low-privilege users can modify checklists through the '/checklists/:id' route. This route lacks adequate access control, allowing any user associated with the project to alter checklist data, including slugs and data fields. Such modifications can disrupt essential project workflows, change business logic, and introduce errors that compromise data integrity.
Impact
Exploitation of this vulnerability allows low-privilege users to unauthorizedly change critical checklist information, potentially disrupting key project processes and introducing errors that could undermine overall project integrity.
Reproduction
To reproduce this vulnerability, log in as a user with 'viewer' role and obtain an access token. Then, send a PATCH request to the '/checklists/:id' route, including a modified slug and data that could impact project integrity.
Remediation
Users can update to Lunary version 1.4.30 or later, where this vulnerability has been fixed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
2.5exploitability
4.6remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.