Lunary-Ai Lunary vulnerabilities
71 known vulnerabilities affecting lunary-ai/lunary-ai_lunary.
Total CVEs
71
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH33MEDIUM28
Vulnerabilities
Page 1 of 4
CVE-2024-5386P2HIGHCVSS 8.8≥ unspecified, < 1.2.142026-02-02
CVE-2024-5386 [HIGH] CWE-1125 CVE-2024-5386: In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role user sends a specific request to the server, which respo
nvd
CVE-2024-7475P3CRITICALCVSS 9.1≥ unspecified, < 1.3.42024-10-29
CVE-2024-7475 [CRITICAL] CWE-862 CVE-2024-7475: An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to upd
An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user information. Appropriate access controls should be implemented to ensure that the S
nvd
CVE-2024-7456P3CRITICALCVSS 9.8≥ unspecified, < 1.4.32024-11-01
CVE-2024-7456 [CRITICAL] CWE-89 CVE-2024-7456: A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary versi
A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbi
nvd
CVE-2024-9095P3CRITICALCVSS 9.8≥ unspecified, < 1.4.302025-03-20
CVE-2024-9095 [CRITICAL] CWE-862 CVE-2024-9095: In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing a
In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is protected by a config check (`config.DATA_WAREHOUSE_EXPORTS_ALLOWED`), b
nvd
CVE-2024-4146P3CRITICALCVSS 9.8≥ unspecified, < 1.2.262024-06-08
CVE-2024-4146 [CRITICAL] CWE-863 CVE-2024-4146: In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows una
In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess` method within the authorization middleware, which fails to adequately verif
nvd
CVE-2024-1740P3CRITICALCVSS 9.1≥ unspecified, < 1.2.72024-04-10
CVE-2024-1740 [CRITICAL] CWE-863 CVE-2024-1740: In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization
In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal fr
nvd
CVE-2024-5128P3HIGHCVSS 8.8≥ unspecified, < 1.2.252024-06-06
CVE-2024-5128 [HIGH] CWE-639 CVE-2024-5128: An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecti
An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. This vulnerability allows unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation within any dataset or project. The issue stems from improper access control checks in the dataset
nvd
CVE-2024-5328P3CRITICALCVSS 9.3≥ unspecified, ≤ latest2024-06-06
CVE-2024-5328 [CRITICAL] CWE-918 CVE-2024-5328: A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, speci
A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. The vulnerability arises due to the application's failure to validate user-supplied URLs before using them in server-side requests. An attacker can exploit this vulnerability by sending a
nvd
CVE-2024-1741P3CRITICALCVSS 9.1≥ unspecified, < 1.2.82024-04-10
CVE-2024-1741 [CRITICAL] CWE-863 CVE-2024-1741: lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to
lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on prompt templates by sending HTTP requests with their previously captured autho
nvd
CVE-2024-1739P3CRITICALCVSS 9.1≥ unspecified, < 1.0.22024-04-16
CVE-2024-1739 [CRITICAL] CWE-821 CVE-2024-1739: lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addres
lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process. Specifically, the server fails to treat email addresses as case insensitive, allowing the creation of multiple accounts with the same email address by varying the case of the email characters. For example, accounts for '
nvd
CVE-2025-9803P3HIGHCVSS 8.8≥ unspecified, < 1.9.352025-11-25
CVE-2025-9803 [HIGH] CWE-287 CVE-2025-9803: lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication
lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued
nvd
CVE-2024-1643P3CRITICALCVSS 9.1≥ unspecified, < 1.2.22024-04-10
CVE-2024-1643 [CRITICAL] CWE-200 CVE-2024-1643: By knowing an organization's ID, an attacker can join the organization without permission and gain t
By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. This vulnerability allows unauthorized access and modification of sensitive information, posing a significant security risk. The flaw is due to insufficient verification of user permissi
nvd
CVE-2024-9099P3HIGHCVSS 8.1≥ unspecified, < 1.5.72025-03-20
CVE-2024-9099 [HIGH] CWE-1230 CVE-2024-9099: In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private
In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to perform actions on behalf of the project, access private d
nvd
CVE-2024-5133P3HIGHCVSS 8.1≥ unspecified, ≤ latest2024-06-06
CVE-2024-5133 [HIGH] CWE-200 CVE-2024-5133: In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of p
In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the `GET /v1/users/me/org` endpoint, which lists all users in a team. This allows any authenticated
nvd
CVE-2024-5389P3HIGHCVSS 8.1≥ unspecified, ≤ latest2024-06-09
CVE-2024-5389 [HIGH] CWE-1220 CVE-2024-5389: In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allo
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or
nvd
CVE-2024-4151P3HIGHCVSS 8.1≥ unspecified, < 1.2.252024-05-20
CVE-2024-4151 [HIGH] CWE-639 CVE-2024-4151: An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can v
An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to manipulate or access sensitive project data, potentially
nvd
CVE-2025-5352P3CRITICALCVSS 9.6≥ unspecified, < 1.9.252025-08-23
CVE-2025-5352 [CRITICAL] CWE-79 CVE-2025-5352: A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of luna
A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users
nvd
CVE-2024-3379P3HIGHCVSS 8.1≥ unspecified, < 1.2.72024-11-14
CVE-2024-3379 [HIGH] CWE-863 CVE-2024-3379: In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows un
In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. Specifically, a user with a 'Member' role can issue a request to regenerate the private key of a project without having the necessary permissions or being assigned to
nvd
CVE-2024-5129P3HIGHCVSS 8.2≥ unspecified, < 1.2.82024-06-06
CVE-2024-5129 [HIGH] CWE-862 CVE-2024-5129: A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can de
A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion has the appropriate permissions. This allows unauthorized
nvd
CVE-2024-10762P3HIGHCVSS 8.1≥ unspecified, < 1.5.92025-03-20
CVE-2024-10762 [HIGH] CWE-862 CVE-2024-10762: In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evalua
In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluat
nvd
1 / 4Next →