CVE-2024-4151
Published: 20 May 2024
Summary
CVE-2024-4151 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Lunary Lunary. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud API (T1059.009); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), Obtain Capabilities (AML.T0016), LLM Prompt Injection (AML.T0051).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-32710
Vulnerability details
An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability…
more
allows unauthorized users to manipulate or access sensitive project data, potentially leading to data integrity and confidentiality issues.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Lunary.ai is an open-source LLM observability and management platform for monitoring, debugging, and improving LLM applications, fitting under 'Other Platforms' as it is neither a framework, library, nor specific AI subdomain tool but a broader AI/ML platform. The vulnerability affects access to prompts and project data used in AI/LLM workflows.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper access control in GET/PATCH requests for template versions enables unauthorized data collection from information repositories (T1213) and stored data manipulation (T1565.001) via abuse of the cloud/web API (T1059.009).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.