Login Sign Up

CVE-2024-4146

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This CVE describes an authorization bypass vulnerability in lunary-ai/lunary version v1.2.13 that allows unauthorized users to access and manipulate projects they shouldn't have access to. Attackers can gain complete control over project resources including creating, updating, reading, and deleting sensitive information. Organizations using the affected version of lunary-ai/lunary are impacted.

💻 Affected Systems

Products:
  • lunary-ai/lunary
Versions: v1.2.13
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using the vulnerable authorization middleware with project access controls.

📦 What is this software?

Lunary by Lunary

View all CVEs affecting Lunary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all project data including sensitive information, unauthorized data manipulation, and potential data destruction across all projects in the organization.

🟠

Likely Case

Unauthorized access to project resources leading to data exposure, privilege escalation, and potential data manipulation by authenticated but unauthorized users.

🟢

If Mitigated

Limited to authenticated users within the organization, but proper authorization prevents cross-project access and manipulation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but minimal technical skill to manipulate project access requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit c43b6c62035f32ca455f66d5fd22ba661648cde7

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/c43b6c62035f32ca455f66d5fd22ba661648cde7

Restart Required: Yes

Instructions:

1. Update lunary-ai/lunary to version after commit c43b6c62035f32ca455f66d5fd22ba661648cde7. 2. Restart the application. 3. Verify the fix by testing project access controls.

🔧 Temporary Workarounds

Temporary access restriction

all

Implement network-level restrictions to limit access to project management endpoints

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to lunary instances
  • Enable detailed audit logging for all project access attempts and monitor for unauthorized access patterns

🔍 How to Verify

Check if Vulnerable:

Check if running lunary-ai/lunary version v1.2.13 by examining package version or commit hash

Check Version:

Check package.json or git log for version/commit information

Verify Fix Applied:

Test project access controls by attempting to access projects with users who shouldn't have permissions

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized project access attempts
  • Multiple project access requests from single user across different projects
  • Failed authorization checks in middleware logs

Network Indicators:

  • Unusual patterns of API calls to project endpoints
  • Multiple project ID requests from single user session

SIEM Query:

search 'project_access' OR 'authorization_failed' OR 'unauthorized_project' in application logs

📊 Metadata

CVE ID: CVE-2024-4146
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-863
Published: June 8, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4146, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)