cbcvebase.

Lunary-Ai Lunary vulnerabilities

71 known vulnerabilities affecting lunary-ai/lunary-ai_lunary.

Total CVEs
71
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH33MEDIUM28

Vulnerabilities

Page 2 of 4
CVE-2024-7474P3HIGHCVSS 8.1≥ unspecified, < 1.3.42024-10-29
CVE-2024-7474 [HIGH] CWE-639 CVE-2024-7474: In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exist In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing unauthorized access to external user data.
nvd
CVE-2024-8999P3HIGHCVSS 7.5≥ unspecified, < 1.4.262025-03-20
CVE-2024-8999 [HIGH] CWE-862 CVE-2024-8999: lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/ lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery endpoint. This vulnerability allows any user to export the entire database data by creating a stream to Google BigQuery without proper authentication or authorization. The issue is fixed in version 1.4.26.
nvd
CVE-2024-5130P3HIGHCVSS 7.5≥ unspecified, < 1.2.82024-06-06
CVE-2024-5130 [HIGH] CWE-862 CVE-2024-5130: An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2 An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the curren
nvd
CVE-2024-1626P3HIGHCVSS 8.1≥ unspecified, < 1.0.02024-04-16
CVE-2024-1626 [HIGH] CWE-639 CVE-2024-1626: An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project's ID in the PATCH request to the '/
nvd
CVE-2024-3501P3HIGHCVSS 8.1≥ unspecified, < 1.2.62024-11-14
CVE-2024-3501 [HIGH] CWE-922 CVE-2024-3501: In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exis In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized acto
nvd
CVE-2025-4962P3HIGHCVSS 7.7≥ unspecified, < 1.9.232025-08-18
CVE-2025-4962 [HIGH] CWE-284 CVE-2025-4962: An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId` query parameter. The root cause of this issue is the absence of server-side
nvd
CVE-2024-1738P3HIGHCVSS 7.5≥ unspecified, < 1.2.42024-04-16
CVE-2024-1738 [HIGH] CWE-863 CVE-2024-1738: An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically wit An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL
nvd
CVE-2024-8765P3HIGHCVSS 7.3≥ unspecified, < 1.4.232025-03-20
CVE-2024-8765 [HIGH] CWE-41 CVE-2024-8765: In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system inco In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system incorrectly identifies certain endpoints as public if the path contains '/auth/' anywhere within it. This allows unauthenticated attackers to access sensitive endpoints by including '/auth/' in the path. As a result, attackers can obtain and modify sensitive d
nvd
CVE-2024-3502P3HIGHCVSS 8.1≥ unspecified, < 1.2.62024-11-14
CVE-2024-3502 [HIGH] CWE-201 CVE-2024-3502: In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exis In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, whi
nvd
CVE-2024-10272P3HIGHCVSS 7.5≥ unspecified, < 1.4.92025-03-20
CVE-2024-10272 [HIGH] CWE-862 CVE-2024-10272: lunary-ai/lunary is vulnerable to broken access control in the latest version. An attacker can view lunary-ai/lunary is vulnerable to broken access control in the latest version. An attacker can view the content of any dataset without any kind of authorization by sending a GET request to the /v1/datasets endpoint without a valid authorization token.
nvd
CVE-2024-3761P3HIGHCVSS 7.5≥ unspecified, < 1.2.82024-05-20
CVE-2024-3761 [HIGH] CWE-862 CVE-2024-3761: In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `packages/backend/src/api/v1/datas In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `packages/backend/src/api/v1/datasets` is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid token, to delete a dataset by sending a DELETE request to the endpoint. The issu
nvd
CVE-2024-5277P3HIGHCVSS 7.5≥ unspecified, ≤ latest2024-06-06
CVE-2024-5277 [HIGH] CWE-640 CVE-2024-5277: In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where t In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the tok
nvd
CVE-2024-10275P3HIGHCVSS 7.3≥ unspecified, < 1.5.72025-03-20
CVE-2024-10275 [HIGH] CWE-863 CVE-2024-10275: In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct pe In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an administrator can manage billing, effectively bypassing the intended role-based
nvd
CVE-2024-11137P3HIGHCVSS 7.5≥ unspecified, < 1.6.12025-03-20
CVE-2024-11137 [HIGH] CWE-639 CVE-2024-11137: An Insecure Direct Object Reference (IDOR) vulnerability exists in the `PATCH /v1/runs/:id/score` en An Insecure Direct Object Reference (IDOR) vulnerability exists in the `PATCH /v1/runs/:id/score` endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which corresponds to the `runId_score` in the database. The endpoint does not suffic
nvd
CVE-2024-1902P3HIGHCVSS 7.5≥ unspecified, < 1.2.82024-04-10
CVE-2024-1902 [HIGH] CWE-821 CVE-2024-1902: lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the orga lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before allowing them to make changes. An attacker can exploit this by using an old authorization token to s
nvd
CVE-2024-8764P3HIGHCVSS 7.5≥ unspecified, < 1.4.232025-03-20
CVE-2024-8764 [HIGH] CWE-1333 CVE-2024-8764: A vulnerability in lunary-ai/lunary, as of commit be54057, allows users to upload and execute arbitr A vulnerability in lunary-ai/lunary, as of commit be54057, allows users to upload and execute arbitrary regular expressions on the server side. This can lead to a Denial of Service (DoS) condition, as certain regular expressions can cause excessive resource consumption, blocking the server from processing other requests.
nvd
CVE-2024-8789P3HIGHCVSS 7.5≥ unspecified, < 1.4.232025-03-20
CVE-2024-8789 [HIGH] CWE-1333 CVE-2024-8789: Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The application allows users to upload their own regular expressions, which are then executed on the server side. Certain regular expressions can have exponential runtime complexity relative to the input size, leading to potential denial of serv
nvd
CVE-2024-6862P3HIGHCVSS 8.1≥ unspecified, < 1.4.102024-09-13
CVE-2024-6862 [HIGH] CWE-352 CVE-2024-6862: A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to o A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. This vulnerability allows an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are n
nvd
CVE-2024-5714P3MEDIUMCVSS 6.8≥ unspecified, < 1.4.92024-06-27
CVE-2024-5714 [MEDIUM] CWE-863 CVE-2024-5714: In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with escalated privileges, and change members from other organizat
nvd
CVE-2024-6087P3MEDIUMCVSS 6.5≥ unspecified, < 1.4.92024-09-13
CVE-2024-6087 [MEDIUM] CWE-639 CVE-2024-6087: An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) o An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizati
nvd
Lunary-Ai Lunary vulnerabilities | cvebase