CVE-2024-10275: CWE-863 Incorrect Authorization in lunary-ai lunary-ai/lunary
In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an administrator can manage billing, effectively bypassing the intended role-based access control. Only users with the 'owner' role should be allowed to invite members with billing permissions. This flaw allows admins to circumvent those restrictions, gaining unauthorized access and control over billing information, posing a risk to the organization’s financial resources.
AI Analysis
Technical Summary
CVE-2024-10275 identifies an incorrect authorization vulnerability (CWE-863) in lunary-ai/lunary version 1.5.5, where administrators lacking direct billing permissions can escalate their privileges by altering existing users' permissions to include billing access. The root cause is a failure in the role-based access control (RBAC) mechanism, which should restrict billing permission assignments exclusively to users with the 'owner' role. This vulnerability enables admins to bypass these restrictions, effectively granting themselves unauthorized control over billing resources. The vulnerability requires authenticated access at the admin level and some user interaction to modify permissions. The CVSS 3.0 score is 7.3 (high severity), reflecting the network attack vector, low attack complexity, and the significant confidentiality and integrity impacts due to unauthorized billing access. Although no exploits are currently known in the wild, the flaw poses a substantial risk to organizational financial security. The vulnerability affects unspecified versions but is confirmed in version 1.5.5. The lack of a patch at the time of reporting necessitates immediate compensating controls. This vulnerability highlights the critical importance of strict RBAC enforcement and monitoring in SaaS and cloud-based collaboration platforms.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized access and manipulation of billing information, potentially resulting in financial fraud, billing disputes, and loss of trust. Confidentiality of sensitive financial data is compromised, and integrity is at risk due to unauthorized permission changes. Although availability is not directly impacted, the financial and reputational damage could be significant, especially for organizations relying heavily on lunary-ai/lunary for billing and user management. Organizations in finance, technology, and sectors with strict compliance requirements (e.g., GDPR) face increased regulatory and operational risks. Attackers exploiting this flaw could cause unauthorized charges, disrupt billing processes, or leak sensitive financial data, leading to legal and compliance consequences.
Mitigation Recommendations
1. Immediately audit all user permissions within lunary-ai/lunary to detect unauthorized billing permission assignments. 2. Enforce strict RBAC policies by restricting permission modification capabilities to 'owner' roles only, using custom access controls or external policy enforcement if the product lacks native support. 3. Monitor and log all permission changes with alerts for billing-related modifications. 4. Limit admin privileges to only those necessary and review admin roles regularly. 5. Implement multi-factor authentication (MFA) for all admin accounts to reduce risk of credential compromise. 6. Coordinate with lunary-ai vendor for timely patch deployment once available. 7. Consider temporary compensating controls such as disabling billing permission changes or isolating billing management to separate trusted environments. 8. Train administrators on the risks of privilege escalation and proper permission management practices.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland
CVE-2024-10275: CWE-863 Incorrect Authorization in lunary-ai lunary-ai/lunary
Description
In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an administrator can manage billing, effectively bypassing the intended role-based access control. Only users with the 'owner' role should be allowed to invite members with billing permissions. This flaw allows admins to circumvent those restrictions, gaining unauthorized access and control over billing information, posing a risk to the organization’s financial resources.
AI-Powered Analysis
Technical Analysis
CVE-2024-10275 identifies an incorrect authorization vulnerability (CWE-863) in lunary-ai/lunary version 1.5.5, where administrators lacking direct billing permissions can escalate their privileges by altering existing users' permissions to include billing access. The root cause is a failure in the role-based access control (RBAC) mechanism, which should restrict billing permission assignments exclusively to users with the 'owner' role. This vulnerability enables admins to bypass these restrictions, effectively granting themselves unauthorized control over billing resources. The vulnerability requires authenticated access at the admin level and some user interaction to modify permissions. The CVSS 3.0 score is 7.3 (high severity), reflecting the network attack vector, low attack complexity, and the significant confidentiality and integrity impacts due to unauthorized billing access. Although no exploits are currently known in the wild, the flaw poses a substantial risk to organizational financial security. The vulnerability affects unspecified versions but is confirmed in version 1.5.5. The lack of a patch at the time of reporting necessitates immediate compensating controls. This vulnerability highlights the critical importance of strict RBAC enforcement and monitoring in SaaS and cloud-based collaboration platforms.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized access and manipulation of billing information, potentially resulting in financial fraud, billing disputes, and loss of trust. Confidentiality of sensitive financial data is compromised, and integrity is at risk due to unauthorized permission changes. Although availability is not directly impacted, the financial and reputational damage could be significant, especially for organizations relying heavily on lunary-ai/lunary for billing and user management. Organizations in finance, technology, and sectors with strict compliance requirements (e.g., GDPR) face increased regulatory and operational risks. Attackers exploiting this flaw could cause unauthorized charges, disrupt billing processes, or leak sensitive financial data, leading to legal and compliance consequences.
Mitigation Recommendations
1. Immediately audit all user permissions within lunary-ai/lunary to detect unauthorized billing permission assignments. 2. Enforce strict RBAC policies by restricting permission modification capabilities to 'owner' roles only, using custom access controls or external policy enforcement if the product lacks native support. 3. Monitor and log all permission changes with alerts for billing-related modifications. 4. Limit admin privileges to only those necessary and review admin roles regularly. 5. Implement multi-factor authentication (MFA) for all admin accounts to reduce risk of credential compromise. 6. Coordinate with lunary-ai vendor for timely patch deployment once available. 7. Consider temporary compensating controls such as disabling billing permission changes or isolating billing management to separate trusted environments. 8. Train administrators on the risks of privilege escalation and proper permission management practices.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2024-10-23T05:23:59.342Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 68ef9b22178f764e1f4709e2
Added to database: 10/15/2025, 1:01:22 PM
Last enriched: 10/15/2025, 1:13:10 PM
Last updated: 11/27/2025, 6:44:34 AM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-12758: Incomplete Filtering of One or More Instances of Special Elements in validator
HighCVE-2025-13525: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in listingthemes WP Directory Kit
MediumCVE-2025-13143: CWE-352 Cross-Site Request Forgery (CSRF) in assafp Poll, Survey & Quiz Maker Plugin by Opinion Stage
MediumCVE-2025-12185: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in era404 StaffList
MediumCVE-2025-12123: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in trustindex Customer Reviews Collector for WooCommerce
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.