CVE-2024-9099 in lunary
Summary
by MITRE • 03/20/2025
In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to perform actions on behalf of the project, access private data, and delete resources. The private API keys are exposed in the developer tools when the endpoint is called from the frontend.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2025
The vulnerability identified as CVE-2024-9099 resides within the lunary-ai/lunary application version v1.4.29 where the GET /projects API endpoint fails to properly enforce access controls. This flaw represents a critical security oversight that violates fundamental principles of least privilege and credential separation. The exposed API keys are not merely administrative credentials but include private keys that grant significant operational capabilities within the system. The vulnerability manifests when users with minimal permissions such as Viewers or Prompt Editors make requests to the /projects endpoint, allowing them to retrieve credentials that should be restricted to administrators or authorized personnel only.
The technical implementation of this vulnerability stems from improper authentication and authorization checks within the API endpoint. The system fails to validate the requesting user's permission level before returning sensitive credential information, creating a direct path for privilege escalation. When the frontend makes calls to the endpoint, the private API keys are transmitted in plaintext within the response payload, making them easily accessible through browser developer tools or network monitoring utilities. This exposure aligns with CWE-284, which addresses improper access control, and specifically demonstrates weaknesses in access control enforcement mechanisms that should prevent unauthorized information disclosure.
The operational impact of this vulnerability extends far beyond simple credential exposure, as the compromised private API keys can be leveraged for extensive malicious activities within the lunary platform. Attackers with access to these credentials can perform actions on behalf of legitimate users, access private project data, modify configurations, and potentially delete critical resources. The exposure occurs at the application layer where the API endpoint lacks proper authorization validation, making it particularly dangerous as it provides attackers with elevated privileges without requiring additional exploitation techniques. This vulnerability directly enables scenarios described in the MITRE ATT&CK framework under T1566 for credential access and T1078 for valid accounts, as the compromised credentials can be used to maintain persistent access to the system.
Organizations utilizing this vulnerable version of lunary face significant security risks including data breaches, unauthorized resource consumption, and potential service disruption. The exposure of private API keys creates opportunities for attackers to move laterally within the system and escalate privileges to gain full administrative control. The vulnerability's impact is amplified by the fact that it affects users with minimal permissions, suggesting that the system's permission model is fundamentally flawed and fails to properly segment access to sensitive resources. Mitigation strategies should include immediate implementation of proper access controls, credential rotation for all affected projects, and deployment of network monitoring to detect unauthorized access attempts. Additionally, the application should be updated to version v1.4.30 or later where this vulnerability has been addressed through proper authorization enforcement and credential separation mechanisms.