Privilege Escalation Vulnerability in Lunary by Lunary AI
CVE-2024-9098

6.1MEDIUM

Key Information:

Vendor: Lunary-ai
Status: Lunary-ai/lunary
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-9098?

A privilege escalation vulnerability has been identified in Lunary AI's user creation endpoint that allows administrators to invite new users with billing permissions. This lack of restriction enables unauthorized access to sensitive billing resources, potentially compromising the financial integrity of an organization. Admins can abuse this feature to invite users with billing roles without the necessary access controls, leading to significant security risks.

Affected Version(s)

lunary-ai/lunary < 1.4.30

References

https://huntr.com/bounties/75d466ae-8591-44d5-9160-eea7ca...

https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c3...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

CVSS V3.0

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Sep 23, 2024

Lunary-ai

What is CVE-2024-9098?

Affected Version(s)

References

CVSS V3.1

CVSS V3.0

Timeline