Home » Database

AVID-2026-R0032

Description

Improper Access Control in lunary-ai/lunary (CVE-2024-8999)

Details

lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery endpoint. This vulnerability allows any user to export the entire database data by creating a stream to Google BigQuery without proper authentication or authorization. The issue is fixed in version 1.4.26.

References

Affected or Relevant Artifacts

  • Developer: lunary-ai
  • Deployer: lunary-ai
  • Artifact Details:
TypeName
Systemlunary-ai/lunary

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score9.8
Base Severity🔴 Critical
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-862CWE-862 Missing Authorization

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2025-03-20
  • Version: 0.3.1
  • AVID Entry