CVE-2024-3502 CRITICAL

CVE-2024-3502: Exposure of Sensitive Information in lunary-ai/lunary

Vendor Lunary-Ai
Product lunary-ai/lunary
Weakness CWE-201
Published November 14, 2024
Last update October 15, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.

Key dates

02Disclosure timeline

November 14, 2024 CVE published
October 15, 2025 Record updated