Cyber Resilience

CVE-2024-1739

CriticalPublic PoC

Published: 16 April 2024

Published
16 April 2024
Modified
18 June 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0018 39.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1739 is a critical-severity Incorrect Synchronization (CWE-821) vulnerability in Lunary Lunary. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.

EU & UK References

Vulnerability details

lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process. Specifically, the server fails to treat email addresses as case insensitive, allowing the creation of multiple accounts with the same email address…

more

by varying the case of the email characters. For example, accounts for 'abc@gmail.com' and 'Abc@gmail.com' can both be created, leading to potential impersonation and confusion among users.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Lunary.ai (lunary-ai/lunary) is an open-source LLM observability and management platform for monitoring, evaluating, and debugging AI/ML applications, categorized as an Other Platforms in the AI ecosystem. The vulnerability is a general authentication flaw reported on an AI/ML bug bounty platform (Huntr).

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.003 Cloud Account Persistence
Adversaries may create a cloud account to maintain access to victim systems.
T1036.010 Masquerade Account Name Stealth
Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign.
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The vulnerability enables exploitation of a public-facing web application (T1190) to bypass email uniqueness validation, allowing unauthorized creation of cloud-like accounts (T1136.003) with case-variant emails that masquerade legitimate account names (T1036.010) for subsequent use as valid accounts (T1078.004).

Affected Assets

lunary
lunary
≤ 1.0.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References