Access Control Flaw in Lunary AI Affects Database Security
CVE-2024-9095

9.8CRITICAL

Key Information:

Vendor

Lunary-ai

Status
Lunary-ai/lunary
Vendor
CVE Published:
20 March 2025

What is CVE-2024-9095?

An access control flaw has been identified in Lunary AI's API, specifically within the /bigquery route in version v1.4.28. This vulnerability allows any logged-in user to create a Datastream to Google BigQuery, potentially leading to unauthorized database exports. Sensitive data, including password hashes and API keys, can be exposed due to the lack of robust user authorization checks. Although there is a configuration check present, it fails to assess the user's access level appropriately. This oversight creates opportunities for data extraction, threatens service integrity, and raises concerns about the compromise of account credentials.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

lunary-ai/lunary < 1.4.30

References

https://huntr.com/bounties/e242a92e-da41-440d-b718-3de91e...
https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c3...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.