CVE-2024-3504 HIGH

CVE-2024-3504: Improper Access Control in lunary-ai/lunary

Vendor Lunary-Ai

Product lunary-ai/lunary

Weakness CWE-863 · Incorrect authorization

Published June 6, 2024

Last update October 15, 2025

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7.

Key dates

02Disclosure timeline

June 6, 2024 CVE published

October 15, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-3504 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2024-3504: Improper Access Control in lunary-ai/lunary

01Description

02Disclosure timeline

03References

04Related CVE