cvedb.io
CVE-2024-6086
MEDIUM · CVSS 4.3
EPSS exploitation probability: 0%
Published 2024-06-27T19:15:19.533 · Last modified 2026-06-17T08:17:15.650

Summary

In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.

Affected products

lunary — lunary

Does this affect you?

Add your gear to cvedb and we'll alert you only when lunary ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.