CVE-2024-10274 identifies an improper authorization vulnerability classified under CWE-862 in the lunary-ai/lunary software, specifically version 1.5.5. The vulnerability resides in the /users/me/org API endpoint, which fails to enforce adequate access control mechanisms. As a result, users with limited privileges (PR:L) can access sensitive information about all members of the current organization, including personally identifiable information such as names, roles, and email addresses. This exposure violates the principle of least privilege and can lead to privacy breaches. The vulnerability does not affect data integrity or availability but has a high impact on confidentiality. The CVSS vector (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates that the attack can be performed remotely over the network with low attack complexity, requires some privileges but no user interaction, and affects confidentiality significantly. Although no exploits are currently known in the wild, the vulnerability presents a risk for reconnaissance activities that could precede more damaging attacks. The lack of a patch link suggests that remediation may require vendor intervention or custom access control implementation by affected organizations.

For European organizations, the primary impact is the unauthorized disclosure of sensitive employee and organizational information, which can lead to privacy violations and non-compliance with GDPR and other data protection laws. Exposure of names, roles, and emails can facilitate social engineering, phishing, and targeted attacks against employees or the organization. This can erode trust internally and externally, potentially leading to reputational damage and regulatory penalties. Since lunary-ai/lunary is a collaboration or organizational tool, the compromise of such data could also affect operational security by revealing organizational structure and personnel details. The medium severity rating reflects that while the vulnerability does not directly disrupt services or data integrity, the confidentiality breach alone is significant in the European regulatory context.

Organizations should immediately audit their use of lunary-ai/lunary, especially version 1.5.5, and restrict access to the /users/me/org endpoint to only authorized users with appropriate privileges. Implement strict role-based access control (RBAC) and verify that authorization checks are enforced server-side for all sensitive endpoints. Monitor access logs for unusual or unauthorized queries to this endpoint. If vendor patches become available, apply them promptly. In the absence of official patches, consider deploying web application firewalls (WAFs) with custom rules to block unauthorized access attempts to the vulnerable endpoint. Conduct internal penetration testing to verify that no unauthorized data disclosure is possible. Educate employees about phishing risks that may arise from leaked information. Finally, review and update privacy policies and incident response plans to address potential data exposure incidents.