CVE-2024-3504

Published: Jun 6, 2024Modified: Oct 15, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Exploitability: 1.2 / Impact: 5.2

Source: NVD

Description

An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.

Affected (1)

Products: Lunary: Lunary

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lunary Lunary	Before 1.2.7

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://github.com/lunary-ai/lunary/commit/f7507f0949f6634f725ebb8da37c44f76542901f

Source: security@huntr.dev

Patch

https://huntr.com/bounties/97958fe4-be21-4b63-966f-8337c72c8e28

Source: security@huntr.dev

ExploitThird Party Advisory

https://github.com/lunary-ai/lunary/commit/f7507f0949f6634f725ebb8da37c44f76542901f

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://huntr.com/bounties/97958fe4-be21-4b63-966f-8337c72c8e28

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.