CVE-2024-11137 is a high-severity authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in lunary-ai/lunary version 1.6.0. The vulnerability exists in the PATCH /v1/runs/:id/score API endpoint, which is designed to update the score data associated with a specific run identified by the 'id' parameter. Due to insufficient authorization validation, the endpoint fails to verify whether the authenticated user has permission to modify the specified runId_score in the database. Consequently, an attacker with any valid account can manipulate the 'id' parameter to alter the score data of runs owned by other users. This represents an Insecure Direct Object Reference (IDOR) flaw, allowing unauthorized data modification without requiring elevated privileges or user interaction. The vulnerability impacts data integrity but does not affect confidentiality or availability directly. The issue was addressed and fixed in lunary-ai/lunary version 1.6.1 by implementing proper authorization checks to ensure users can only modify their own run scores. The CVSS v3.0 score of 7.5 reflects the network attack vector, low attack complexity, no privileges required, no user interaction, and a significant impact on integrity. Although no known exploits are currently reported in the wild, the vulnerability poses a serious risk to organizations relying on this software for accurate and trustworthy run scoring data.

For European organizations using lunary-ai/lunary, this vulnerability can lead to unauthorized modification of critical scoring data, potentially undermining the integrity of analytics, reporting, or decision-making processes that depend on this data. This could affect sectors relying on AI-driven run evaluations, such as research institutions, AI development companies, or any enterprise integrating lunary-ai/lunary into their workflows. The unauthorized data manipulation could result in incorrect performance metrics, loss of trust in system outputs, and potential compliance issues if data integrity is mandated by regulations. While confidentiality and availability are not directly impacted, the integrity breach could indirectly affect business operations and stakeholder confidence. The ease of exploitation (no privilege escalation or user interaction required) increases the risk of internal or external attackers with valid accounts exploiting this flaw. Organizations failing to upgrade may face reputational damage or operational disruptions if attackers manipulate run scores maliciously.

European organizations should immediately upgrade lunary-ai/lunary to version 1.6.1 or later, where the vulnerability is fixed. In addition to patching, organizations should implement strict access control policies and audit logs to monitor modifications to run scores, enabling detection of unauthorized changes. Employing role-based access control (RBAC) or attribute-based access control (ABAC) can further restrict who can modify run data. Conduct regular security reviews and penetration testing focusing on API endpoints to identify similar authorization weaknesses. Network segmentation and limiting API access to trusted users and systems can reduce exposure. Finally, educate developers on secure coding practices to prevent IDOR vulnerabilities by enforcing server-side authorization checks on all user-controlled parameters.