Lunary API Key Exposure Vulnerability for Low-Permission Users

A vulnerability exists in Lunary version 1.4.29, where the GET /projects API endpoint inadvertently reveals both public and private API keys for all projects. This exposure is available to users with minimal permissions, such as Viewers or Prompt Editors. The private API keys can be accessed through the developer tools when the endpoint is called from the frontend. This vulnerability allows unauthorized users to obtain sensitive credentials that could be used to act on behalf of the project, access private data, and delete resources.

Impact

Exploitation of this vulnerability allows unauthorized users to access sensitive API keys, which could be used to manipulate project resources, access private information, and perform deletions on behalf of the project.

Reproduction

To reproduce this vulnerability, log in as a user with Viewer or Prompt Editor permissions. Navigate to the GET /projects API endpoint. The response will include private API keys for all projects, which can be viewed in the developer tools.

Remediation

Users are advised to update to the latest version of Lunary where this vulnerability has been addressed.