Access Control Vulnerability in Lunary AI affecting Evaluators Endpoint
CVE-2024-10330

6.5MEDIUM

Key Information:

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-10330?

In Lunary AI version 1.5.6, a vulnerability exists in the /v1/evaluators/ endpoint due to insufficient access controls. This allows any user associated with a project to retrieve all evaluator data, irrespective of their access privileges. Consequently, users with minimal permissions could potentially view sensitive evaluation information, posing a significant risk to data confidentiality.

Affected Version(s)

lunary-ai/lunary < 1.5.7

References

https://huntr.com/bounties/598ecd65-1723-4fb7-a9aa-9c4f56...

https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30...

CVSS V3.0

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Oct 24, 2024

Lunary-ai

What is CVE-2024-10330?

Affected Version(s)

References

CVSS V3.0

Timeline