Access Control Flaw in Lunary AI Allows Unauthorized Checklist Management
CVE-2024-9000

6.5MEDIUM

Key Information:

Vendor

Lunary-ai

Status
Lunary-ai/lunary
Vendor
CVE Published:
20 March 2025

What is CVE-2024-9000?

The Lunary AI platform prior to version 1.4.26 exhibits a significant access control vulnerability in the checklists.post() endpoint. This weakness permits unauthorized users to create or modify checklists without proper validation of their permissions. Furthermore, it fails to enforce the uniqueness of the 'slug' field, enabling attackers to overwrite legitimate checklists by reusing existing slugs. This oversight could lead to data integrity problems, as vital checklists could be altered or replaced with malicious versions. It's crucial for users of Lunary AI to update to the latest version to mitigate this security risk.

Affected Version(s)

lunary-ai/lunary < 1.4.26

References

https://huntr.com/bounties/f5fca549-0a4a-4f64-8ccf-d4e108...
https://github.com/lunary-ai/lunary/commit/a02861ef9bb6ce...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.