CVE-2024-6086

Published: Jun 27, 2024Modified: Oct 15, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.

Affected (1)

Products: Lunary: Lunary

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lunary Lunary	Version 1.2.7

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (3)

https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54

Source: security@huntr.dev

https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643

Source: security@huntr.dev

ExploitThird Party Advisory

https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.