CVE-2024-10273 – This vulnerability allows users with viewer rol... (How to Fix)

📋 TL;DR

This vulnerability allows users with viewer roles in lunary-ai/lunary to modify models owned by other users due to missing privilege checks in the PATCH endpoint. It affects all deployments running version 1.5.0 of the lunary software, potentially allowing low-privilege users to alter critical AI model configurations.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: v1.5.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with multiple user roles where viewer users exist. Single-user installations are not vulnerable.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify or delete critical AI models, corrupting production systems, causing data loss, or injecting malicious configurations that affect downstream applications.

🟠

Likely Case

Internal users with viewer access could accidentally or intentionally modify models they shouldn't, causing configuration drift, data integrity issues, and operational disruptions.

🟢

If Mitigated

With proper role-based access controls implemented, only authorized administrators can modify models, maintaining system integrity.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user with viewer role. The vulnerability is straightforward to exploit via API calls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc and later versions

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc

Restart Required: Yes

Instructions:

1. Update to latest lunary version or apply commit 8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc
2. Restart the lunary service
3. Verify role-based access controls are functioning correctly

🔧 Temporary Workarounds

Temporary API endpoint restriction

all

Block PATCH requests to /api/models endpoint for viewer roles using web server or API gateway rules

# Example nginx config:
location /api/models {
    if ($http_x_user_role = "viewer") {
        return 403;
    }
}

🧯 If You Can't Patch

Implement network segmentation to restrict viewer role users from accessing model management APIs
Enable detailed audit logging for all model modification attempts and monitor for unauthorized changes

🔍 How to Verify

Check if Vulnerable:

Test if a user with viewer role can successfully PATCH to /api/models/{id} endpoint with another user's model ID

Check Version:

Check package.json or run: npm list lunary-ai/lunary

Verify Fix Applied:

Verify that viewer role users receive 403 Forbidden when attempting to PATCH models they don't own

📡 Detection & Monitoring

Log Indicators:

PATCH requests to /api/models from users with viewer role
Successful model modifications from non-owner accounts

Network Indicators:

Unusual PATCH request patterns to model endpoints
Model modification requests from unexpected IP addresses

SIEM Query:

source="lunary" AND (method="PATCH" AND path="/api/models/*") AND user_role="viewer"

📊 Metadata

CVE ID: CVE-2024-10273

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-863

EPSS Score: 0.07% exploit probability (20.4th percentile)

Published: March 20, 2025

Last Updated: October 15, 2025

🔗 References

https://github.com/lunary-ai/lunary/commit/8ba1b8ba2c2c30b1cec30eb5777c1fda670cbbfc Patch
https://huntr.com/bounties/883d9fe2-5730-41e1-a5c2-59972489876e Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10273, you might also want to check these: