CVE-2024-5386: CWE-1125 Excessive Attack Surface in lunary-ai lunary-ai/lunary
CVE-2024-5386 is a critical vulnerability in lunary-ai/lunary version 1. 2. 2 that allows users with a low-privilege 'viewer' role to hijack other users' accounts by exploiting a password reset token leak. The vulnerability arises because the server responds to a specific request from a viewer role user with a password reset token ('recoveryToken' parameter) for another user, enabling unauthorized password resets. This flaw results from an excessive attack surface that permits privilege escalation without user interaction. The CVSS score of 9. 6 reflects the high impact on confidentiality and integrity, with no user interaction required and network attack vector. European organizations using lunary-ai/lunary are at risk of account takeover, potentially leading to data breaches and unauthorized access. Mitigation requires immediate patching once available, restricting access to password reset functionality, and monitoring for suspicious requests. Countries with significant adoption of lunary-ai/lunary or critical infrastructure relying on it, such as Germany, France, and the UK, are most likely affected.
AI Analysis
Technical Summary
CVE-2024-5386 is a critical security vulnerability identified in lunary-ai/lunary version 1.2.2. The flaw is categorized under CWE-1125 (Excessive Attack Surface), where a user assigned the 'viewer' role, which is typically a low-privilege role, can exploit the system to hijack other users' accounts. The vulnerability stems from the server's improper handling of password reset requests. Specifically, when a viewer role user sends a crafted request, the server responds with a password reset token in the 'recoveryToken' parameter that corresponds to another user's account. Possession of this token allows the attacker to reset the victim's password without authorization, effectively taking over the account. This attack vector requires no user interaction and can be executed remotely over the network, making it highly exploitable. The vulnerability impacts confidentiality and integrity severely, as attackers gain unauthorized access to user accounts and can manipulate sensitive data. The excessive attack surface is due to insufficient access control on the password reset token generation and disclosure mechanism, allowing privilege escalation from viewer to full account control. Although no known exploits are reported in the wild yet, the high CVSS score (9.6) indicates critical severity. The vulnerability affects all unspecified versions of lunary-ai/lunary, with version 1.2.2 confirmed vulnerable. No patches are currently linked, emphasizing the need for immediate vendor response and user mitigation.
Potential Impact
For European organizations using lunary-ai/lunary, this vulnerability poses a significant risk of account hijacking, leading to unauthorized access to sensitive data and systems. Attackers exploiting this flaw can escalate privileges from a low-privilege viewer role to full account control, potentially compromising confidential information and disrupting business operations. The lack of user interaction and network-based exploitability increases the likelihood of automated or targeted attacks. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on lunary-ai/lunary for collaboration or data management could face data breaches, regulatory non-compliance, and reputational damage. The vulnerability could also facilitate lateral movement within networks, enabling attackers to compromise additional systems. Given the critical severity, the impact extends beyond individual accounts to organizational security posture and data integrity.
Mitigation Recommendations
1. Immediately restrict access to password reset functionality to trusted roles only, ensuring that low-privilege users like 'viewer' cannot trigger password reset token generation for other accounts. 2. Implement strict server-side validation and authorization checks to confirm that password reset tokens are only issued to legitimate requesters for their own accounts. 3. Monitor logs for unusual password reset requests originating from viewer role users or other low-privilege accounts. 4. Employ multi-factor authentication (MFA) on all user accounts to reduce the impact of compromised credentials. 5. Isolate and segment systems running lunary-ai/lunary to limit lateral movement in case of compromise. 6. Engage with the vendor for timely patches or updates addressing this vulnerability and apply them as soon as available. 7. Conduct internal security audits and penetration testing focusing on access control and token management mechanisms. 8. Educate users about phishing and social engineering risks that could compound the vulnerability exploitation. 9. Consider implementing rate limiting and anomaly detection on password reset endpoints to detect and block abuse attempts.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy
CVE-2024-5386: CWE-1125 Excessive Attack Surface in lunary-ai lunary-ai/lunary
Description
CVE-2024-5386 is a critical vulnerability in lunary-ai/lunary version 1. 2. 2 that allows users with a low-privilege 'viewer' role to hijack other users' accounts by exploiting a password reset token leak. The vulnerability arises because the server responds to a specific request from a viewer role user with a password reset token ('recoveryToken' parameter) for another user, enabling unauthorized password resets. This flaw results from an excessive attack surface that permits privilege escalation without user interaction. The CVSS score of 9. 6 reflects the high impact on confidentiality and integrity, with no user interaction required and network attack vector. European organizations using lunary-ai/lunary are at risk of account takeover, potentially leading to data breaches and unauthorized access. Mitigation requires immediate patching once available, restricting access to password reset functionality, and monitoring for suspicious requests. Countries with significant adoption of lunary-ai/lunary or critical infrastructure relying on it, such as Germany, France, and the UK, are most likely affected.
AI-Powered Analysis
Technical Analysis
CVE-2024-5386 is a critical security vulnerability identified in lunary-ai/lunary version 1.2.2. The flaw is categorized under CWE-1125 (Excessive Attack Surface), where a user assigned the 'viewer' role, which is typically a low-privilege role, can exploit the system to hijack other users' accounts. The vulnerability stems from the server's improper handling of password reset requests. Specifically, when a viewer role user sends a crafted request, the server responds with a password reset token in the 'recoveryToken' parameter that corresponds to another user's account. Possession of this token allows the attacker to reset the victim's password without authorization, effectively taking over the account. This attack vector requires no user interaction and can be executed remotely over the network, making it highly exploitable. The vulnerability impacts confidentiality and integrity severely, as attackers gain unauthorized access to user accounts and can manipulate sensitive data. The excessive attack surface is due to insufficient access control on the password reset token generation and disclosure mechanism, allowing privilege escalation from viewer to full account control. Although no known exploits are reported in the wild yet, the high CVSS score (9.6) indicates critical severity. The vulnerability affects all unspecified versions of lunary-ai/lunary, with version 1.2.2 confirmed vulnerable. No patches are currently linked, emphasizing the need for immediate vendor response and user mitigation.
Potential Impact
For European organizations using lunary-ai/lunary, this vulnerability poses a significant risk of account hijacking, leading to unauthorized access to sensitive data and systems. Attackers exploiting this flaw can escalate privileges from a low-privilege viewer role to full account control, potentially compromising confidential information and disrupting business operations. The lack of user interaction and network-based exploitability increases the likelihood of automated or targeted attacks. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on lunary-ai/lunary for collaboration or data management could face data breaches, regulatory non-compliance, and reputational damage. The vulnerability could also facilitate lateral movement within networks, enabling attackers to compromise additional systems. Given the critical severity, the impact extends beyond individual accounts to organizational security posture and data integrity.
Mitigation Recommendations
1. Immediately restrict access to password reset functionality to trusted roles only, ensuring that low-privilege users like 'viewer' cannot trigger password reset token generation for other accounts. 2. Implement strict server-side validation and authorization checks to confirm that password reset tokens are only issued to legitimate requesters for their own accounts. 3. Monitor logs for unusual password reset requests originating from viewer role users or other low-privilege accounts. 4. Employ multi-factor authentication (MFA) on all user accounts to reduce the impact of compromised credentials. 5. Isolate and segment systems running lunary-ai/lunary to limit lateral movement in case of compromise. 6. Engage with the vendor for timely patches or updates addressing this vulnerability and apply them as soon as available. 7. Conduct internal security audits and penetration testing focusing on access control and token management mechanisms. 8. Educate users about phishing and social engineering risks that could compound the vulnerability exploitation. 9. Consider implementing rate limiting and anomaly detection on password reset endpoints to detect and block abuse attempts.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2024-05-25T19:37:51.776Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 698083b8f9fa50a62f37058b
Added to database: 2/2/2026, 11:00:08 AM
Last enriched: 2/2/2026, 11:14:57 AM
Last updated: 2/2/2026, 12:48:03 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1757: Missing Release of Memory after Effective Lifetime in Red Hat Red Hat Enterprise Linux 10
MediumCVE-2026-0599: CWE-400 Uncontrolled Resource Consumption in huggingface huggingface/text-generation-inference
HighCVE-2025-7105: CWE-400 Uncontrolled Resource Consumption in danny-avila danny-avila/librechat
MediumCVE-2025-6208: CWE-400 Uncontrolled Resource Consumption in run-llama run-llama/llama_index
MediumCVE-2025-10279: CWE-379 Creation of Temporary File in Directory with Insecure Permissions in mlflow mlflow/mlflow
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.