CVE-2024-3504 is an authorization bypass vulnerability classified under CWE-863, found in the lunary-ai/lunary software up to version 1.2.2. The flaw arises because an admin user can improperly update any organization user's role to that of the organization owner without sufficient authorization checks. This escalation of privileges allows the attacker to perform critical actions reserved for owners, such as deleting projects within the organization. The vulnerability does not affect confidentiality directly but severely impacts integrity and availability by enabling destructive operations. Exploitation requires the attacker to already have admin-level privileges, but no additional user interaction is needed. The attack vector is network-based with low complexity, meaning an attacker with admin access can remotely exploit this flaw without significant effort. The vulnerability was publicly disclosed on June 6, 2024, with a CVSS v3.0 score of 8.1, indicating high severity. The vendor addressed the issue in lunary-ai/lunary version 1.2.7, which includes proper authorization checks to prevent unauthorized role changes and project deletions.

For European organizations using lunary-ai/lunary versions up to 1.2.2, this vulnerability poses a significant risk to operational continuity and data integrity. An attacker with admin privileges can escalate to organization owner, gaining full control over organizational projects, including the ability to delete critical projects. This can lead to loss of valuable intellectual property, disruption of business processes, and potential financial and reputational damage. Since lunary-ai/lunary is likely used in collaborative AI or software development environments, the impact extends to project teams and dependent services. The vulnerability does not directly expose confidential data but compromises the integrity and availability of organizational resources. Organizations in sectors with strict data governance and operational resilience requirements, such as finance, healthcare, and critical infrastructure, may face heightened consequences. Additionally, recovery from project deletion may be complex or impossible without proper backups, increasing downtime and recovery costs.

European organizations should immediately upgrade lunary-ai/lunary to version 1.2.7 or later, where the vulnerability is fixed. Until patching is complete, restrict admin privileges to trusted personnel only and audit admin activities closely to detect any unauthorized role changes. Implement strict role-based access controls and monitor logs for unusual privilege escalations or project deletions. Employ backup and recovery procedures to mitigate the impact of potential project deletions. Consider network segmentation and multi-factor authentication for admin accounts to reduce the risk of compromised credentials. Regularly review and update organizational policies around privilege management and incident response to quickly address any exploitation attempts. Engage with the vendor for any additional security advisories or patches related to lunary-ai/lunary.