Cyber Resilience

CVE-2024-4154

MediumPublic PoC

Published: 21 May 2024

Published
21 May 2024
Modified
31 January 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0011 28.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-4154 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Lunary Lunary. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.

EU & UK References

Vulnerability details

In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project,…

more

despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Lunary.ai is an open-source LLM engineering and observability platform (LLM ops) for managing AI/LLM projects, reported via an AI/ML bug bounty platform (Huntr), making it AI-related infrastructure.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

The vulnerability enables unprivileged users to perform unauthorized PATCH requests to rename projects, facilitating exploitation for privilege escalation (T1068) and stored data manipulation (T1565.001) by altering project metadata.

Affected Assets

lunary
lunary
≤ 1.2.26

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References