Critical severityNVD Advisory· Published Jun 8, 2024· Updated Aug 30, 2024

Incorrect Authorization in lunary-ai/lunary

CVE-2024-4146

Description

In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the checkProjectAccess method within the authorization middleware, which fails to adequately verify if a user has the correct permissions to access a specific project. Instead, it only checks if the user is part of the organization owning the project, overlooking the necessary check against the account_project table for explicit project access rights. This flaw enables attackers to gain complete control over all resources within a project, including the ability to create, update, read, and delete any resource, compromising the privacy and security of sensitive information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Lunary v1.2.13 fails to verify explicit project access, allowing unauthorized users within an organization to fully control any project's resources.

Root

Cause CVE-2024-4146 is an incorrect authorization vulnerability in lunary-ai/lunary version v1.2.13. The checkProjectAccess method in the authorization middleware only verifies that a user belongs to the organization that owns the project, lacking a query to the account_project table for explicit project-level permissions [1][2].

Exploitation

An attacker who is any member of the target organization can exploit this flaw without needing additional privileges. By bypassing the missing project-level access check, they can access any project within that organization [2].

Impact

Successful exploitation grants the attacker complete control over all resources within the targeted project, including the ability to create, update, read, and delete any resource. This compromises the privacy and security of sensitive information stored in the project [1].

Mitigation

The vulnerability was reported via the Huntr bug bounty platform. As of the published advisory, users should upgrade to a patched version or apply the fix that ensures the checkProjectAccess method verifies explicit project membership [2].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
lunarynpm	< 1.2.26	1.2.26

Affected products

ghsa-coords
pkg:npm/lunary
Range: < 1.2.26
lunary-ai/lunary-ai/lunaryv5
Range: unspecified

Patches

c43b6c62035f

https://github.com/lunary-ai/lunaryvia ghsa

commit

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

github.com/advisories/GHSA-w5xm-mx47-v7c8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-4146ghsaADVISORY
github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7ghsaWEB
huntr.com/bounties/a749e696-b398-4260-b2d0-b0054b9fffa7ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000