AVID-2026-R1631

Description

Privilege Escalation in lunary-ai/lunary (CVE-2024-9098)

Details

In lunary-ai/lunary before version 1.4.30, a privilege escalation vulnerability exists where admins can invite new members with billing permissions, thereby gaining unauthorized access to billing resources. This issue arises because the user creation endpoint does not restrict admins from inviting users with billing roles. As a result, admins can circumvent the intended access control, posing a risk to the organization’s financial resources.

Reason for inclusion in AVID: The CVE describes a software vulnerability (privilege escalation via improper authorization) in the Lunary AI platform. This platform is a software component commonly used in AI workflows, serving as part of the AI tooling/stack. It concerns how admins can invite users with billing permissions, affecting access control and billing resources—clearly a security vulnerability impacting AI software stacks. The issue lies in a component that would be part of the supply chain for general-purpose AI systems (build/deploy/run AI workloads via Lunary), not hardware/firmware alone. Sufficient signals are provided (description, CVSS, references).

References

• NVD entry
• https://huntr.com/bounties/75d466ae-8591-44d5-9160-eea7cad0c4fc
• https://github.com/lunary-ai/lunary/commit/a8d7b2959e87c30fbafdb12af7ffa093385dcc60

Affected or Relevant Artifacts

• Developer: lunary-ai
• Deployer: lunary-ai
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2025-03-20
• Version: 0.3.3
• AVID Entry