CVE-2024-3502 is an information disclosure vulnerability classified under CWE-201, affecting lunary-ai/lunary software versions up to and including 1.2.5. The flaw arises because the application inadvertently includes account recovery hashes in the JSON responses of two API endpoints: GET /v1/users/me and GET /v1/users/me/org. These endpoints are accessible to authenticated users, but the exposure of recovery hashes is unintended and represents sensitive information leakage. Although these hashes are not equivalent to user passwords, they are critical for account recovery mechanisms and could be leveraged by attackers to bypass authentication controls or reset account credentials maliciously. The vulnerability does not require elevated privileges or user interaction, making it remotely exploitable by any authenticated user. The issue was resolved in version 1.2.6 by removing or securing the sensitive data from API responses. The CVSS v3.0 base score of 9.1 indicates a critical severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability impacts confidentiality and integrity but not availability. No public exploits have been reported yet, but the potential for account takeover or unauthorized access is significant.

For European organizations, this vulnerability poses a significant risk to user account security and data integrity. Exposure of account recovery hashes could allow attackers to perform unauthorized account recovery, potentially leading to account takeover, data theft, or unauthorized access to organizational resources. This is especially critical for organizations relying on lunary-ai/lunary for sensitive or proprietary data management. The lack of required privileges or user interaction lowers the barrier for exploitation, increasing the likelihood of abuse if attackers gain authenticated access. Compromise of user accounts could lead to further lateral movement within networks, data exfiltration, or disruption of business operations. Additionally, organizations subject to strict data protection regulations such as GDPR may face compliance and reputational risks if user data is compromised due to this vulnerability.

European organizations using lunary-ai/lunary should immediately upgrade to version 1.2.6 or later, where the vulnerability is patched. Until the upgrade is applied, restrict access to the affected API endpoints to only trusted and necessary users, and monitor API usage logs for unusual access patterns or attempts to retrieve sensitive data. Implement strong authentication and session management controls to limit the risk of unauthorized authenticated access. Conduct thorough audits of account recovery mechanisms to ensure no other sensitive information is exposed. Additionally, educate users about phishing and social engineering risks that could exploit leaked recovery information. Employ network segmentation and least privilege principles to minimize the impact of any compromised accounts. Finally, maintain an incident response plan to quickly address any suspected account compromises.