CVE-2024-5386
Published: 02 February 2026
Summary
CVE-2024-5386 is a high-severity Excessive Attack Surface (CWE-1125) vulnerability in Lunary Lunary. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces least privilege to prevent 'viewer' role users from accessing or obtaining password reset tokens of other accounts, directly mitigating the privilege escalation and account hijacking.
Requires protection of authenticator content from unauthorized disclosure and modification, addressing the leak of recoveryTokens in server responses to low-privileged users.
Mandates enforcement of approved access authorizations, blocking unauthorized requests that expose password reset tokens to lower-privileged 'viewer' users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Password reset token exposure in responses directly enables credential leakage (T1552) and subsequent unauthorized account takeover for privilege escalation (T1068).
NVD Description
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is…
more
triggered when the 'viewer' role user sends a specific request to the server, which responds with a password reset token in the 'recoveryToken' parameter. This token can then be used to reset the password of another user's account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts.
Deeper analysisAI
CVE-2024-5386 is an account hijacking vulnerability in lunary-ai/lunary version 1.2.2, stemming from a password reset token leak. The flaw arises due to an excessive attack surface that exposes the 'recoveryToken' parameter in server responses, enabling unauthorized access. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-1125.
A low-privileged user with a 'viewer' role can exploit the vulnerability by sending a specific request to the server, which leaks a password reset token for another user's account. The attacker can then use this token to reset the target account's password without further authorization, resulting in full account takeover and privilege escalation from viewer-level access.
Patches and mitigation details are available in the fixing commit at https://github.com/lunary-ai/lunary/commit/fc7ab3d5621c18992da5dab3a2a9a8d227d42311 and the associated Huntr bounty report at https://huntr.com/bounties/602eb4a1-305d-46d6-b975-5a5d8b040ad1.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai