Lunary Security Vulnerabilities (CVEs)
Track 40 security vulnerabilities affecting Lunary products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
This vulnerability allows authenticated users in lunary-ai/lunary to delete prompts belonging to other organizations through ID manipulation. The appl...
Feb 2, 2026In lunary-ai/lunary version 1.2.2, a privilege escalation vulnerability allows users with 'viewer' role to hijack other user accounts by obtaining pas...
Feb 2, 2026This vulnerability allows account takeover in lunary-ai/lunary due to improper Google OAuth authentication. Attackers can use access tokens from malic...
Nov 25, 2025A critical stored XSS vulnerability in lunary-ai/lunary Analytics component allows arbitrary JavaScript execution in all users' browsers when attacker...
Aug 23, 2025This stored XSS vulnerability in lunary-ai/lunary allows unauthenticated attackers to inject malicious JavaScript via the v1/runs/ingest endpoint. Whe...
Jul 7, 2025A stored cross-site scripting vulnerability in lunary-ai/lunary allows attackers to inject malicious JavaScript into SAML IdP XML metadata. This JavaS...
Mar 20, 2025This vulnerability in lunary-ai/lunary exposes both public and private API keys through the GET /projects endpoint to users with minimal permissions l...
Mar 20, 2025This vulnerability allows low-privilege users to modify checklists in lunary-ai/lunary version 1.4.28 by exploiting missing access controls on the /ch...
Mar 20, 2025This privilege escalation vulnerability allows administrators in lunary-ai/lunary to invite new users with billing permissions, bypassing intended acc...
Mar 20, 2025A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary allows attackers to submit specially crafted inputs that cause the se...
Mar 20, 2025This vulnerability in lunary-ai/lunary allows any user to export the entire database to Google BigQuery without proper authentication or authorization...
Mar 20, 2025This vulnerability allows unauthorized users to create or modify checklists in lunary-ai/lunary, bypassing permission checks. Attackers can also spoof...
Mar 20, 2025This vulnerability allows unauthenticated attackers to bypass authentication in lunary-ai/lunary by including '/auth/' in API endpoint paths. Attacker...
Mar 20, 2025A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary allows attackers to cause indefinite server hangs by sending speciall...
Mar 20, 2025This vulnerability in lunary-ai/lunary allows authenticated users to upload and execute arbitrary regular expressions on the server, potentially causi...
Mar 20, 2025This broken access control vulnerability allows authenticated attackers to modify any user's templates in lunary-ai/lunary by sending crafted HTTP POS...
Mar 20, 2025This vulnerability allows attackers to overwrite existing evaluator data by submitting POST requests with duplicate slugs in the same project. It affe...
Mar 20, 2025In lunary-ai/lunary version 1.5.6, the /v1/evaluators/ endpoint lacks proper access control, allowing any authenticated user associated with a project...
Mar 20, 2025This vulnerability allows users with viewer roles in lunary-ai/lunary to modify models owned by other users due to missing privilege checks in the PAT...
Mar 20, 2025An incorrect authorization vulnerability in lunary-ai/lunary allows users with 'Member' role to regenerate private keys for projects they shouldn't ha...
Nov 14, 2024This vulnerability exposes account recovery hashes through API endpoints in lunary-ai/lunary, allowing authenticated users to access sensitive informa...
Nov 14, 2024This SQL injection vulnerability in lunary-ai/lunary v1.4.2 allows attackers to execute arbitrary SQL commands through the `/api/v1/external-users` en...
Nov 1, 2024An Insecure Direct Object Reference (IDOR) vulnerability in lunary-ai/lunary allows authenticated users to modify other users' prompts by manipulating...
Oct 29, 2024This IDOR vulnerability in lunary-ai/lunary version 1.3.2 allows authenticated users to view or delete external user accounts by manipulating the 'id'...
Oct 29, 2024This vulnerability allows unauthorized attackers to modify SAML configuration settings in lunary-ai/lunary version 1.3.2. This can lead to authenticat...
Oct 29, 2024This vulnerability allows attackers to exploit the user invitation system in lunary-ai/lunary to obtain valid JWT tokens and perform account takeover....
Sep 13, 2024This CSRF vulnerability in lunary-ai/lunary version 1.2.34 allows attackers to perform unauthorized actions like creating projects by exploiting overl...
Sep 13, 2024In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows team members with management permissions to manipulate project iden...
Jun 27, 2024This CVE describes an authorization bypass vulnerability in lunary-ai/lunary version v1.2.13 that allows unauthorized users to access and manipulate p...
Jun 8, 2024This SSRF vulnerability in lunary-ai/lunary allows attackers to make unauthorized server-side requests to internal or external resources by exploiting...
Jun 6, 2024This vulnerability allows authenticated users to capture password recovery tokens from other users via the API, enabling account takeover by resetting...
Jun 6, 2024This IDOR vulnerability in lunary-ai/lunary allows unauthorized users to view, modify, or delete any dataset_prompt or dataset_prompt_variation across...
Jun 6, 2024This CVE describes an incorrect authorization vulnerability in lunary-ai/lunary that allows unauthenticated users to delete any dataset without proper...
Jun 6, 2024A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allows attackers to send specially crafted requests th...
Jun 1, 2024An improper access control vulnerability in lunary-ai/lunary version 1.2.2 allows users to view and update any prompts in any projects due to insuffic...
May 20, 2024This vulnerability allows any user, including those without authentication, to delete datasets in lunary-ai/lunary by sending a DELETE request to the ...
May 20, 2024This vulnerability allows unauthorized users to access any organization's evaluation results by simply knowing the evaluation ID, due to missing proje...
Apr 16, 2024This vulnerability allows attackers to create multiple accounts with the same email address by varying character case (e.g., User@example.com vs user@...
Apr 16, 2024This vulnerability allows users who have been removed from an organization to continue accessing and manipulating logs and project data using old auth...
Apr 10, 2024This vulnerability allows removed users to modify organization names in lunary-ai/lunary by reusing old session tokens. Attackers can exploit this aut...
Apr 10, 2024Why Monitor Lunary Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 40+ known vulnerabilities affecting Lunary products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable Lunary packages in under 60 seconds. No agents required - completely agentless scanning that works across Lunary deployments.
Free vulnerability database: Access detailed information about every Lunary CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new Lunary CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
