CVE-2024-5386 – In lunary-ai/lunary version 1.2.2, a privilege ... (How to Fix)

Q: What is the severity of CVE-2024-5386?

CVE-2024-5386 has a CVSS score of 9.6 (CRITICAL). In lunary-ai/lunary version 1.2.2, a privilege escalation vulnerability allows users with 'viewer' role to hijack other user accounts by obtaining password reset tokens. This occurs when viewer-role users send specific requests that leak recovery tokens, enabling unauthorized password resets. All organizations using the vulnerable version are affected.

📋 TL;DR

In lunary-ai/lunary version 1.2.2, a privilege escalation vulnerability allows users with 'viewer' role to hijack other user accounts by obtaining password reset tokens. This occurs when viewer-role users send specific requests that leak recovery tokens, enabling unauthorized password resets. All organizations using the vulnerable version are affected.

💻 Affected Systems

Products:

lunary-ai/lunary

Versions: 1.2.2

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with viewer-role users; the vulnerability is present in default configurations.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of any user, including administrators, leading to data theft, system compromise, and privilege escalation across the entire platform.

🟠

Likely Case

Unauthorized access to user accounts, potential data exposure, and privilege escalation within the application.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, but still represents a serious authentication bypass.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires viewer-level credentials; the vulnerability is well-documented in public references with specific request patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit fc7ab3d5621c18992da5dab3a2a9a8d227d42311

Vendor Advisory: https://github.com/lunary-ai/lunary/commit/fc7ab3d5621c18992da5dab3a2a9a8d227d42311

Restart Required: Yes

Instructions:

1. Update to the latest version of lunary-ai/lunary. 2. Apply the fix from commit fc7ab3d5621c18992da5dab3a2a9a8d227d42311. 3. Restart the lunary service. 4. Verify the fix by testing password reset functionality.

🔧 Temporary Workarounds

Restrict viewer role access

all

Temporarily remove or restrict viewer role permissions until patching is complete.

# Review and modify user role assignments in lunary configuration

Monitor password reset requests

all

Implement logging and alerting for password reset token generation and usage.

# Configure application logging to capture all password reset events

🧯 If You Can't Patch

Implement network segmentation to isolate lunary instances from critical systems
Enforce multi-factor authentication for all user accounts

🔍 How to Verify

Check if Vulnerable:

Check if running lunary version 1.2.2 and test if viewer-role users can access password reset tokens via API requests.

Check Version:

Check lunary version in application settings or via package manager: npm list lunary-ai/lunary

Verify Fix Applied:

After patching, verify that viewer-role users cannot obtain password reset tokens for other accounts.

📡 Detection & Monitoring

Log Indicators:

Unusual password reset requests from viewer-role users
Multiple password reset attempts for different accounts from same source

Network Indicators:

API requests to password reset endpoints from unauthorized roles
Unusual patterns in authentication-related traffic

SIEM Query:

source="lunary" AND (event="password_reset" OR event="recovery_token") AND user_role="viewer"

📊 Metadata

CVE ID: CVE-2024-5386

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-1125

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy