CVE-2024-11300 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the lunary-ai/lunary product before version 1.6.3. The flaw arises due to improper access control mechanisms that fail to adequately verify user permissions when accessing prompt data via URLs containing user-controlled keys. This allows an attacker with limited privileges (PR:L) to craft requests that access prompt data belonging to other users, thereby breaching confidentiality and potentially integrity and availability of sensitive data. The vulnerability has a CVSS 3.0 base score of 8.8, indicating high severity, with attack vector network (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no exploits are currently known in the wild, the ease of exploitation and the critical nature of the data involved make this a significant threat. The vulnerability affects version 1.6.2 and the main development branch, with no patch links provided yet, but version 1.6.3 is indicated as fixed. The root cause is insufficient validation of user authorization when accessing resources identified by user-controlled keys, allowing unauthorized data access.

For European organizations, especially those leveraging lunary-ai/lunary for AI prompt management or related services, this vulnerability poses a serious risk of sensitive data exposure. Confidential prompt data could include proprietary AI instructions, user inputs, or other critical information that, if leaked, could lead to intellectual property theft, privacy violations, or competitive disadvantage. The integrity of prompt data could also be compromised if attackers manipulate or access data they should not. Availability impact is possible if attackers exploit the flaw to disrupt services or cause denial of access to legitimate users. Sectors such as technology companies, AI research institutions, and enterprises integrating AI-driven workflows are particularly vulnerable. The cross-user data exposure can also lead to regulatory compliance issues under GDPR, potentially resulting in fines and reputational damage.

Organizations should immediately upgrade lunary-ai/lunary to version 1.6.3 or later where the vulnerability is fixed. Until patching is possible, implement strict access control checks at the application layer to validate user permissions against requested resources, ensuring that user-controlled keys cannot be used to access unauthorized data. Employ robust logging and monitoring of access patterns to detect anomalous requests that may indicate exploitation attempts. Use network segmentation and least privilege principles to limit exposure of the lunary-ai/lunary service. Conduct regular security assessments and code reviews focusing on authorization logic. Additionally, consider implementing Web Application Firewalls (WAFs) with custom rules to block suspicious URL patterns. Educate developers and administrators about the risks of CWE-639 to prevent similar issues in future development.