CVE-2024-9096: Improper Authorization in lunary-ai/lunary
Description
In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. The route lacks proper access control, such as middleware to ensure that only authorized users (e.g., project owners or admins) can modify checklist data. This vulnerability allows any user associated with the project, regardless of their role, to modify checklists, including changing the slug or data fields, which can lead to tampering with essential project workflows, altering business logic, and introducing errors that undermine integrity.
Classification
CVE ID: CVE-2024-9096
CVSS Base Severity: HIGH
CVSS Base Score: 7.6
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Problem Types
CWE-285 Improper AuthorizationAffected Products
Vendor: lunary-ai
Product: lunary-ai/lunary
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.03% (probability of being exploited)
EPSS Percentile: 5.44% (scored less or equal to compared to others)
EPSS Date: 2025-04-18 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2024-9096https://huntr.com/bounties/653e7109-4c21-4e33-b636-7598d3202b9a
https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c30fbafdb12af7ffa093385dcc60