lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery endpoint. This vulnerability allows any user to export the entire database data by creating a stream to Google BigQuery without proper authentication or authorization. The issue is fixed in version 1.4.26.
CVE ID: CVE-2024-8999
CVSS Base Severity: CRITICAL
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vendor: lunary-ai
Product: lunary-ai/lunary
EPSS Score: 0.08% (probability of being exploited)
EPSS Percentile: 25.7% (scored less or equal to compared to others)
EPSS Date: 2025-04-18 (when was this score calculated)