Vendor CVEs
Lunary AI
All CVEs
71 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-1643 | Cri | 0.52 | 9.1 | 0.01 | Apr 10, 2024 | By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. This vulnerability allows unauthorized access and modification of sensitive information, posing a significant… | ||
| CVE-2025-4962 | Hig | 0.43 | 7.7 | 0.00 | Aug 18, 2025 | An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId`… | ||
| CVE-2024-7456 | 0.02 | — | 0.01 | Nov 1, 2024 | A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without… | |||
| CVE-2024-5386 | 0.00 | — | 0.00 | Feb 2, 2026 | In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when… | |||
| CVE-2024-4147 | 0.00 | — | 0.00 | Feb 2, 2026 | In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt… | |||
| CVE-2025-9803 | 0.00 | — | 0.00 | Nov 25, 2025 | lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is… | |||
| CVE-2025-5352 | 0.00 | — | 0.00 | Aug 23, 2025 | A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any… | |||
| CVE-2025-4779 | 0.00 | — | 0.00 | Jul 7, 2025 | lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where… | |||
| CVE-2024-11300 | 0.00 | — | 0.01 | Mar 20, 2025 | In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of another user. This issue affects version 1.6.2 and the main branch. The vulnerability allows unauthorized users to view sensitive prompt data by… | |||
| CVE-2024-10272 | 0.00 | — | 0.01 | Mar 20, 2025 | lunary-ai/lunary is vulnerable to broken access control in the latest version. An attacker can view the content of any dataset without any kind of authorization by sending a GET request to the /v1/datasets endpoint without a valid authorization token. | |||
| CVE-2024-8998 | 0.00 | — | 0.01 | Mar 20, 2025 | A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git f07a845. The server uses the regex /{.*?}/ to match user-controlled strings. In the default JavaScript regex engine, this regex can take polynomial time to match certain crafted… | |||
| CVE-2025-0281 | 0.00 | — | 0.00 | Mar 20, 2025 | A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. An attacker can inject malicious JavaScript into the SAML IdP XML metadata, which is used to generate the SAML login redirect URL. This URL is then set as the value of… | |||
| CVE-2024-9099 | 0.00 | — | 0.01 | Mar 20, 2025 | In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials,… | |||
| CVE-2024-8765 | 0.00 | — | 0.01 | Mar 20, 2025 | In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system incorrectly identifies certain endpoints as public if the path contains '/auth/' anywhere within it. This allows unauthenticated attackers to access sensitive endpoints by including… | |||
| CVE-2024-10330 | 0.00 | — | 0.00 | Mar 20, 2025 | In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/` endpoint lacks proper access control, allowing any user associated with a project to fetch all evaluator data regardless of their role. This vulnerability permits low-privilege users to access potentially sensitive… | |||
| CVE-2024-8789 | 0.00 | — | 0.01 | Mar 20, 2025 | Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The application allows users to upload their own regular expressions, which are then executed on the server side. Certain regular expressions can have exponential runtime… | |||
| CVE-2024-11301 | 0.00 | — | 0.01 | Mar 20, 2025 | In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an… | |||
| CVE-2024-7476 | 0.00 | — | 0.01 | Mar 20, 2025 | A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/{id}/versions endpoint. This issue is… | |||
| CVE-2024-9096 | 0.00 | — | 0.00 | Mar 20, 2025 | In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. The route lacks proper access control, such as middleware to ensure that only authorized users (e.g., project owners or admins) can modify… | |||
| CVE-2024-9098 | 0.00 | — | 0.01 | Mar 20, 2025 | In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the user creation endpoint does not restrict… | |||
| CVE-2024-8764 | 0.00 | — | 0.01 | Mar 20, 2025 | A vulnerability in lunary-ai/lunary, as of commit be54057, allows users to upload and execute arbitrary regular expressions on the server side. This can lead to a Denial of Service (DoS) condition, as certain regular expressions can cause excessive resource consumption, blocking… | |||
| CVE-2024-10762 | 0.00 | — | 0.01 | Mar 20, 2025 | In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete… | |||
| CVE-2024-9000 | 0.00 | — | 0.01 | Mar 20, 2025 | In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without validating whether the user has proper permissions. This missing access control permits unauthorized users to create checklists, bypassing intended… | |||
| CVE-2024-10275 | 0.00 | — | 0.00 | Mar 20, 2025 | In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an… | |||
| CVE-2024-10274 | 0.00 | — | 0.01 | Mar 20, 2025 | An improper authorization vulnerability exists in lunary-ai/lunary version 1.5.5. The /users/me/org endpoint lacks adequate access control mechanisms, allowing unauthorized users to access sensitive information about all team members in the current organization. This… | |||
| CVE-2024-11137 | 0.00 | — | 0.01 | Mar 20, 2025 | An Insecure Direct Object Reference (IDOR) vulnerability exists in the `PATCH /v1/runs/:id/score` endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which… | |||
| CVE-2024-8763 | 0.00 | — | 0.01 | Mar 20, 2025 | A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression… | |||
| CVE-2024-8999 | 0.00 | — | 0.01 | Mar 20, 2025 | lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery endpoint. This vulnerability allows any user to export the entire database data by creating a stream to Google BigQuery without proper authentication or… | |||
| CVE-2024-10273 | 0.00 | — | 0.00 | Mar 20, 2025 | In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models owned by others. The PATCH endpoint for models does not have appropriate privilege checks, enabling low-privilege users to update models they should… | |||
| CVE-2024-9095 | 0.00 | — | 0.01 | Mar 20, 2025 | In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is… | |||
| CVE-2024-3760 | 0.00 | — | 0.00 | Nov 14, 2024 | In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability. Attackers can exploit this by automating forgot password requests to flood targeted user accounts with a high volume of password reset… | |||
| CVE-2024-3502 | 0.00 | — | 0.00 | Nov 14, 2024 | In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me`… | |||
| CVE-2024-3501 | 0.00 | — | 0.00 | Nov 14, 2024 | In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such… | |||
| CVE-2024-3379 | 0.00 | — | 0.00 | Nov 14, 2024 | In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private… | |||
| CVE-2024-7472 | 0.00 | — | 0.00 | Oct 29, 2024 | lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a… | |||
| CVE-2024-7473 | 0.00 | — | 0.00 | Oct 29, 2024 | An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in… | |||
| CVE-2024-7474 | 0.00 | — | 0.00 | Oct 29, 2024 | In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing… | |||
| CVE-2024-7475 | 0.00 | — | 0.01 | Oct 29, 2024 | An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user… | |||
| CVE-2024-6862 | 0.00 | — | 0.00 | Sep 13, 2024 | A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main… | |||
| CVE-2024-6867 | 0.00 | — | 0.00 | Sep 13, 2024 | An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the… | |||
| CVE-2024-6087 | 0.00 | — | 0.00 | Sep 13, 2024 | An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to… | |||
| CVE-2024-6582 | 0.00 | — | 0.00 | Sep 13, 2024 | A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to… | |||
| CVE-2024-6086 | 0.00 | — | 0.00 | Jun 27, 2024 | In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor'… | |||
| CVE-2024-5755 | 0.00 | — | 0.00 | Jun 27, 2024 | In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. This allows the creation of multiple accounts with essentially the same email address (e.g., 'attacker123@gmail.com' and… | |||
| CVE-2024-5714 | 0.00 | — | 0.01 | Jun 27, 2024 | In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other… | |||
| CVE-2024-5389 | 0.00 | — | 0.00 | Jun 9, 2024 | In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the… | |||
| CVE-2024-4146 | 0.00 | — | 0.01 | Jun 8, 2024 | In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess`… | |||
| CVE-2024-5328 | 0.00 | — | 0.00 | Jun 6, 2024 | A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. The vulnerability arises due to the application's failure to validate user-supplied URLs before using them in… | |||
| CVE-2024-5248 | 0.00 | — | 0.00 | Jun 6, 2024 | In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing… | |||
| CVE-2024-5130 | 0.00 | — | 0.00 | Jun 6, 2024 | An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically,… |
- risk 0.52cvss 9.1epss 0.01
By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. This vulnerability allows unauthorized access and modification of sensitive information, posing a significant…
- risk 0.43cvss 7.7epss 0.00
An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId`…
- CVE-2024-7456Nov 1, 2024risk 0.02cvss —epss 0.01
A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without…
- CVE-2024-5386Feb 2, 2026risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when…
- CVE-2024-4147Feb 2, 2026risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt…
- CVE-2025-9803Nov 25, 2025risk 0.00cvss —epss 0.00
lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is…
- CVE-2025-5352Aug 23, 2025risk 0.00cvss —epss 0.00
A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any…
- CVE-2025-4779Jul 7, 2025risk 0.00cvss —epss 0.00
lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where…
- CVE-2024-11300Mar 20, 2025risk 0.00cvss —epss 0.01
In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of another user. This issue affects version 1.6.2 and the main branch. The vulnerability allows unauthorized users to view sensitive prompt data by…
- CVE-2024-10272Mar 20, 2025risk 0.00cvss —epss 0.01
lunary-ai/lunary is vulnerable to broken access control in the latest version. An attacker can view the content of any dataset without any kind of authorization by sending a GET request to the /v1/datasets endpoint without a valid authorization token.
- CVE-2024-8998Mar 20, 2025risk 0.00cvss —epss 0.01
A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git f07a845. The server uses the regex /{.*?}/ to match user-controlled strings. In the default JavaScript regex engine, this regex can take polynomial time to match certain crafted…
- CVE-2025-0281Mar 20, 2025risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability exists in lunary-ai/lunary versions 1.6.7 and earlier. An attacker can inject malicious JavaScript into the SAML IdP XML metadata, which is used to generate the SAML login redirect URL. This URL is then set as the value of…
- CVE-2024-9099Mar 20, 2025risk 0.00cvss —epss 0.01
In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials,…
- CVE-2024-8765Mar 20, 2025risk 0.00cvss —epss 0.01
In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system incorrectly identifies certain endpoints as public if the path contains '/auth/' anywhere within it. This allows unauthenticated attackers to access sensitive endpoints by including…
- CVE-2024-10330Mar 20, 2025risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.5.6, the `/v1/evaluators/` endpoint lacks proper access control, allowing any user associated with a project to fetch all evaluator data regardless of their role. This vulnerability permits low-privilege users to access potentially sensitive…
- CVE-2024-8789Mar 20, 2025risk 0.00cvss —epss 0.01
Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The application allows users to upload their own regular expressions, which are then executed on the server side. Certain regular expressions can have exponential runtime…
- CVE-2024-11301Mar 20, 2025risk 0.00cvss —epss 0.01
In lunary-ai/lunary before version 1.6.3, the application allows the creation of evaluators without enforcing a unique constraint on the combination of projectId and slug. This allows an attacker to overwrite existing data by submitting a POST request with the same slug as an…
- CVE-2024-7476Mar 20, 2025risk 0.00cvss —epss 0.01
A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/{id}/versions endpoint. This issue is…
- CVE-2024-9096Mar 20, 2025risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. The route lacks proper access control, such as middleware to ensure that only authorized users (e.g., project owners or admins) can modify…
- CVE-2024-9098Mar 20, 2025risk 0.00cvss —epss 0.01
In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the user creation endpoint does not restrict…
- CVE-2024-8764Mar 20, 2025risk 0.00cvss —epss 0.01
A vulnerability in lunary-ai/lunary, as of commit be54057, allows users to upload and execute arbitrary regular expressions on the server side. This can lead to a Denial of Service (DoS) condition, as certain regular expressions can cause excessive resource consumption, blocking…
- CVE-2024-10762Mar 20, 2025risk 0.00cvss —epss 0.01
In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete…
- CVE-2024-9000Mar 20, 2025risk 0.00cvss —epss 0.01
In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without validating whether the user has proper permissions. This missing access control permits unauthorized users to create checklists, bypassing intended…
- CVE-2024-10275Mar 20, 2025risk 0.00cvss —epss 0.00
In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an…
- CVE-2024-10274Mar 20, 2025risk 0.00cvss —epss 0.01
An improper authorization vulnerability exists in lunary-ai/lunary version 1.5.5. The /users/me/org endpoint lacks adequate access control mechanisms, allowing unauthorized users to access sensitive information about all team members in the current organization. This…
- CVE-2024-11137Mar 20, 2025risk 0.00cvss —epss 0.01
An Insecure Direct Object Reference (IDOR) vulnerability exists in the `PATCH /v1/runs/:id/score` endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which…
- CVE-2024-8763Mar 20, 2025risk 0.00cvss —epss 0.01
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression…
- CVE-2024-8999Mar 20, 2025risk 0.00cvss —epss 0.01
lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery endpoint. This vulnerability allows any user to export the entire database data by creating a stream to Google BigQuery without proper authentication or…
- CVE-2024-10273Mar 20, 2025risk 0.00cvss —epss 0.00
In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models owned by others. The PATCH endpoint for models does not have appropriate privilege checks, enabling low-privilege users to update models they should…
- CVE-2024-9095Mar 20, 2025risk 0.00cvss —epss 0.01
In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is…
- CVE-2024-3760Nov 14, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability. Attackers can exploit this by automating forgot password requests to flood targeted user accounts with a high volume of password reset…
- CVE-2024-3502Nov 14, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me`…
- CVE-2024-3501Nov 14, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such…
- CVE-2024-3379Nov 14, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private…
- CVE-2024-7472Oct 29, 2024risk 0.00cvss —epss 0.00
lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a…
- CVE-2024-7473Oct 29, 2024risk 0.00cvss —epss 0.00
An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in…
- CVE-2024-7474Oct 29, 2024risk 0.00cvss —epss 0.00
In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing…
- CVE-2024-7475Oct 29, 2024risk 0.00cvss —epss 0.01
An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user…
- CVE-2024-6862Sep 13, 2024risk 0.00cvss —epss 0.00
A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main…
- CVE-2024-6867Sep 13, 2024risk 0.00cvss —epss 0.00
An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. This endpoint does not verify that the user has the necessary access rights to the run(s) they are accessing. As a result, it returns not only the…
- CVE-2024-6087Sep 13, 2024risk 0.00cvss —epss 0.00
An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to…
- CVE-2024-6582Sep 13, 2024risk 0.00cvss —epss 0.00
A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to…
- CVE-2024-6086Jun 27, 2024risk 0.00cvss —epss 0.00
In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor'…
- CVE-2024-5755Jun 27, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. This allows the creation of multiple accounts with essentially the same email address (e.g., 'attacker123@gmail.com' and…
- CVE-2024-5714Jun 27, 2024risk 0.00cvss —epss 0.01
In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other…
- CVE-2024-5389Jun 9, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the…
- CVE-2024-4146Jun 8, 2024risk 0.00cvss —epss 0.01
In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess`…
- CVE-2024-5328Jun 6, 2024risk 0.00cvss —epss 0.00
A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. The vulnerability arises due to the application's failure to validate user-supplied URLs before using them in…
- CVE-2024-5248Jun 6, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing…
- CVE-2024-5130Jun 6, 2024risk 0.00cvss —epss 0.00
An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically,…
Page 1 of 2