Lunary Privilege Escalation Vulnerability Allowing Unauthorized Access to Billing Resources

A privilege escalation vulnerability has been identified in Lunary AI's project management tool, specifically in versions prior to 1.4.30. This vulnerability allows admins to invite new members with billing permissions, thereby gaining unauthorized access to sensitive billing resources. The issue stems from the user creation endpoint, which fails to restrict admins from assigning billing roles. Consequently, admins can bypass established access controls, jeopardizing the organization's financial resources.

Impact

Exploitation of this vulnerability enables admins to access and modify billing resources, a privilege reserved for organization owners. This could lead to unauthorized changes in financial data or settings, posing a significant risk to the integrity and confidentiality of the organization's billing operations.

Reproduction

To reproduce this vulnerability, log in as an admin user and confirm that billing resources are not accessible. Then, invite a new member with billing permissions. After the invitation is accepted, log in as the new member to access and modify billing settings, thereby circumventing the intended restrictions.

Remediation

Users can update to Lunary version 1.4.30 or later, where this vulnerability has been fixed.