We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-9096

Improper Authorization in lunary-ai/lunary



Description

In lunary-ai/lunary version 1.4.28, the /checklists/:id route allows low-privilege users to modify checklists by sending a PATCH request. The route lacks proper access control, such as middleware to ensure that only authorized users (e.g., project owners or admins) can modify checklist data. This vulnerability allows any user associated with the project, regardless of their role, to modify checklists, including changing the slug or data fields, which can lead to tampering with essential project workflows, altering business logic, and introducing errors that undermine integrity.

Reserved 2024-09-22 | Published 2025-03-20 | Updated 2025-03-20 | Assigner @huntr_ai


HIGH: 7.6CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Problem types

CWE-285 Improper Authorization

Product status

Any version before 1.4.30
affected

References

huntr.com/bounties/653e7109-4c21-4e33-b636-7598d3202b9a

github.com/...ommit/a8d7b2959e87c30fbafdb12af7ffa093385dcc60

cve.org (CVE-2024-9096)

nvd.nist.gov (CVE-2024-9096)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-9096

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.