Cyber Resilience

CVE-2024-8765

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
02 July 2025
KEV Added
Patch
CVSS Score v3 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0031 54.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8765 is a high-severity Improper Resolution of Path Equivalence (CWE-41) vulnerability in Lunary Lunary. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

EU & UK References

Vulnerability details

In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system incorrectly identifies certain endpoints as public if the path contains '/auth/' anywhere within it. This allows unauthenticated attackers to access sensitive endpoints by including '/auth/' in…

more

the path. As a result, attackers can obtain and modify sensitive data and utilize other organizations' resources without proper authentication.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, lunary

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The flawed privilege check in lunary-ai/lunary allows unauthenticated attackers to exploit the public-facing web application by crafting paths containing '/auth/' to bypass authentication and access/modify sensitive data.

Affected Assets

lunary
lunary
≤ 1.4.23

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References