Improper Access Control in Lunary AI's Data Warehouse Product
CVE-2024-8999

7.5HIGH

Key Information:

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-8999?

A security flaw in Luna AI's Lunary version v1.4.25 exposes users to improper access control in the POST /api/v1/data-warehouse/bigquery endpoint. This vulnerability enables unauthorized users to export sensitive database data to Google BigQuery without sufficient authentication checks. The issue has been addressed in version 1.4.26, which restricts access to only authenticated users, thus mitigating potential risks to data integrity.

Affected Version(s)

lunary-ai/lunary < 1.4.26

References

https://huntr.com/bounties/d42b7a44-0dcb-4ef0-b15c-d0e558...

https://github.com/lunary-ai/lunary/commit/aa0fd22952d1d8...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Sep 19, 2024

Lunary-ai

What is CVE-2024-8999?

Affected Version(s)

References

CVSS V3.1

CVSS V3.0

Timeline