High severity7.7OSV Advisory· Published Aug 18, 2025· Updated Apr 15, 2026

CVE-2025-4962

Description

An Insecure Direct Object Reference (IDOR) vulnerability was identified in the POST /v1/templates endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the projectId query parameter. The root cause of this issue is the absence of server-side validation to ensure that the authenticated user owns the specified projectId. The vulnerability has been addressed in version 1.9.23.

Affected products

Lunary Ai/LunaryOSV

Patches

e977d06f18a6

https://github.com/lunary-ai/lunaryvia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/lunary-ai/lunary/commit/e977d06f18a615963ffbe07e5bdff70218c29907nvd
huntr.com/bounties/137a0aef-e243-49d4-832f-8e56056cba1anvd

News mentions

No linked articles in our index yet.

cvss	0.501
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000