Moderate severityNVD Advisory· Published Sep 13, 2024· Updated Sep 13, 2024

Information Disclosure in lunary-ai/lunary

CVE-2024-6867

Description

An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the runs/{run_id}/related endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the specified run but also all runs that have the run_id listed as their parent run. This issue affects the main branch, commit a761d833. The vulnerability allows unauthorized users to obtain information about non-public runs and their related runs, given the run_id of a public or non-public run.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Lunary's runs/{run_id}/related endpoint lacks access control, allowing unauthorized users to view non-public runs and their parent-child relationships.

Vulnerability

Details

The endpoint runs/{run_id}/related in lunary-ai/lunary fails to verify that the requesting user has the necessary access rights to the run(s) they are querying. This access control omission means that any user, regardless of their authorization level, can retrieve information about any run provided they know its run_id. The vulnerability affects the main branch at commit a761d833 [1].

Exploitation

An attacker can exploit this vulnerability by sending a request to the /runs/{run_id}/related endpoint with a known run_id, which could be obtained from a public run or guessed. The endpoint not only returns the specified run but also all runs that have that run_id listed as their parent run. This allows the attacker to traverse the run hierarchy and gather information about related non-public runs without proper authorization [1]. The vulnerability was reported via the Huntr bug bounty platform [2].

Impact

Successful exploitation leads to unauthorized information disclosure of non-public runs and their relationships. This could expose sensitive data, internal processes, or business logic that are intended to be restricted to specific users or roles.

Mitigation

As of the publication date, the vulnerability remains unpatched in the main branch. Users of lunary-ai/lunary should implement proper access control checks on the runs/{run_id}/related endpoint to ensure that only authorized users can access runs and their related runs. The specific vulnerable commit is a761d833 [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
lunarynpm	< 1.4.10	1.4.10

Affected products

ghsa-coords
pkg:npm/lunary
Range: < 1.4.10
lunary-ai/lunary-ai/lunaryv5
Range: unspecified

Patches

35afd4439464

https://github.com/lunary-ai/lunaryvia ghsa

commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9jmp-j63g-8x6mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-6867ghsaADVISORY
github.com/lunary-ai/lunary/commit/35afd4439464571eb016318cd7b6f85a162225caghsaWEB
huntr.com/bounties/460df515-164c-4435-954b-0233a181545fghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000