CVE-2024-9000 HIGH

CVE-2024-9000: Improper Authorization and Duplicate Slug Vulnerability in lunary-ai/lunary

Vendor Lunary-Ai
Product lunary-ai/lunary
Weakness CWE-862 · Missing authorization
Published March 20, 2025
Last update October 15, 2025
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

In lunary-ai/lunary before version 1.4.26, the checklists.post() endpoint allows users to create or modify checklists without validating whether the user has proper permissions. This missing access control permits unauthorized users to create checklists, bypassing intended permission checks. Additionally, the endpoint does not validate the uniqueness of the slug field when creating a new checklist, allowing an attacker to spoof existing checklists by reusing the slug of an already-existing checklist. This can lead to significant data integrity issues, as legitimate checklists can be replaced with malicious or altered data.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
October 15, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-9187 Abandoned Contact Form 7 <= 2.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion via 'recover_id' Parameter CVE-2025-47472 WordPress Music Player for WooCommerce plugin <= 1.5.1 - Broken Access Control Vulnerability CVE-2024-5857 Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free <= 3.7.3.2 - Missing Authorization to Unauthenticated Arbitrary Media Deletion CVE-2026-23972 WordPress Booking and Rental Manager plugin <= 2.6.0 - Broken Access Control vulnerability CVE-2025-68578 WordPress Addonify plugin <= 2.0.4 - Broken Access Control vulnerability