CVE-2024-5131
Published: 06 June 2024
Summary
CVE-2024-5131 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Lunary Lunary. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46388
Vulnerability details
An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. The vulnerability allows unauthorized users to view any prompts in any projects by supplying a specific prompt ID to an endpoint that does…
more
not adequately verify the ownership of the prompt ID. This issue was fixed in version 1.2.25.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Lunary.ai is an open-source LLM observability and management platform (alternative to LangSmith) for tracking prompts, projects, and AI/LLM applications, fitting the Enterprise AI Assistants category as it supports enterprise deployment and monitoring of AI assistants.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The improper access control (IDOR) vulnerability in the public-facing web application endpoint enables exploitation for initial access (T1190) and unauthorized collection of project prompts from the information repository (T1213).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.