CVE-2024-1902
Published: 10 April 2024
Summary
CVE-2024-1902 is a high-severity Incorrect Synchronization (CWE-821) vulnerability in Lunary Lunary. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Accounts (T1078.004); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-17624
Vulnerability details
lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before…
more
allowing them to make changes. An attacker can exploit this by using an old authorization token to send a PATCH request, modifying the organization's name even after being removed from the organization. This issue is due to incorrect synchronization and affects the orgs.patch route.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Lunary-ai/lunary is an open-source LLM observability and management platform, fitting as an 'Other Platforms' category for AI/ML tools, as confirmed by the AI/ML bug bounty context on Huntr.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows reuse of stale authorization tokens by removed users to perform unauthorized PATCH requests modifying organization settings via the cloud API, facilitating Valid Accounts (Cloud Accounts) for persistence and Cloud Administration Command for execution.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.