CVE-2024-1626
Published: 16 April 2024
Summary
CVE-2024-1626 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Lunary Lunary. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-17366
Vulnerability details
An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly…
more
referencing the project's ID in the PATCH request to the '/v1/projects/:projectId' endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated user, enabling unauthorized modifications across different organizational projects.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Lunary (lunary-ai/lunary) is an open-source observability and management platform for LLM applications, fitting under Enterprise AI Assistants as it supports enterprise-grade monitoring and management of AI/LLM projects.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IDOR vulnerability allows authenticated users to perform unauthorized updates to any project's name via the API endpoint, enabling stored data manipulation across organizations.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.