CVE-2024-5130 HIGH

CVE-2024-5130: Incorrect Authorization in lunary-ai/lunary

Vendor Lunary-Ai
Product lunary-ai/lunary
Weakness CWE-862 · Missing authorization
Published June 6, 2024
Last update October 15, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8.

Key dates

02Disclosure timeline

June 6, 2024 CVE published
October 15, 2025 Record updated