Insufficient Access Control in lunary-ai/lunary
Description
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or project of the requesting user. As a result, unauthorized modifications to dataset prompts can occur, leading to altered or removed dataset prompts without proper authorization. This vulnerability impacts the integrity and consistency of dataset information, potentially affecting the results of experiments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In lunary-ai/lunary 1.2.13, insufficient access control allows unauthorized users to modify prompt variations in datasets outside their organization.
Vulnerability
Overview In lunary-ai/lunary version 1.2.13, a vulnerability due to insufficient granularity of access control allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. The root cause is the application's failure to properly validate the ownership of dataset prompts and their variations against the organization or project of the requesting user [1][2].
Exploitation
This issue can be exploited by any authenticated user who can make API requests to manipulate prompt variations. The attacker does not need special privileges beyond a valid user account, and the attack does not require the dataset to be shared or publicly accessible. The lack of proper authorization checks allows the attacker to target datasets belonging to other organizations or projects [1][2].
Impact
Successful exploitation enables unauthorized modifications to dataset prompts, including creating, updating, retrieving, or deleting prompt variations. This compromises the integrity and consistency of dataset information, potentially altering experimental results and leading to data corruption or loss [1][2].
Mitigation
As of the publication date, users should update to a patched version of lunary-ai/lunary beyond 1.2.13. No workaround is documented; upgrading is the recommended action [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lunarynpm | < 1.4.9 | 1.4.9 |
Affected products
2- lunary-ai/lunary-ai/lunaryv5Range: unspecified
Patches
135dd4af0001aVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.