CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-9098: Privilege Escalation in lunary-ai/lunary

7.3 CVSS

Description

In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the user creation endpoint does not restrict admins from inviting users with billing roles. As a result, admins can circumvent the intended access control, posing a risk to the organization's financial resources.

Classification

CVE ID: CVE-2024-9098

CVSS Base Severity: HIGH

CVSS Base Score: 7.3

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Problem Types

CWE-284 Improper Access Control

Affected Products

Vendor: lunary-ai

Product: lunary-ai/lunary

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 4.21% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-9098
https://huntr.com/bounties/75d466ae-8591-44d5-9160-eea7cad0c4fc
https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c30fbafdb12af7ffa093385dcc60

Timeline

2025-03-20 11:40:49 UTC
CVE

Privilege Escalation in lunary-ai/lunary