CVE-2024-6087 is an improper access control vulnerability categorized under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the lunary-ai/lunary project. The flaw exists in the 'invite user' functionality, where an attacker can generate authentication tokens intended for invited users. Specifically, the attacker invites a target's email address, receives a one-time use token linked to that invitation, then retracts the invite to prevent the target from accepting it normally. Later, the attacker uses this token to reset the target user's password, effectively bypassing normal authorization checks and gaining full account control. This attack chain leverages the system's failure to properly validate token usage and lifecycle, allowing reuse of tokens that should have been invalidated or restricted. The vulnerability requires the attacker to have privileges to invite users but does not require interaction from the target user. The CVSS 3.0 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No patches or exploits are currently reported, but the vulnerability poses a significant risk of account takeover and unauthorized access to sensitive data within affected organizations.

For European organizations using lunary-ai/lunary, this vulnerability could lead to unauthorized account takeovers, exposing sensitive organizational data and potentially allowing attackers to impersonate legitimate users. The confidentiality breach could result in leakage of proprietary information, internal communications, or AI model data. Although the vulnerability does not directly affect system integrity or availability, compromised accounts could be leveraged for further lateral movement or social engineering attacks. Organizations in sectors with high reliance on AI collaboration platforms—such as technology firms, research institutions, and startups—face elevated risks. The medium severity rating reflects that while exploitation requires some privileges, the impact on confidentiality is high, making it a critical concern for protecting user identities and access controls. The absence of known exploits suggests a window for proactive mitigation before widespread abuse occurs.

To mitigate CVE-2024-6087, organizations should first verify if they are using affected versions of lunary-ai/lunary and monitor vendor communications for official patches or updates. In the absence of patches, restrict the ability to invite users to highly trusted administrators only, minimizing the attack surface. Implement strict monitoring and alerting on invitation and password reset activities to detect suspicious patterns such as invite retractions followed by password resets. Enforce multi-factor authentication (MFA) on all user accounts to reduce the risk of account takeover even if credentials are compromised. Review and harden token lifecycle management by invalidating invite tokens immediately upon retraction and ensuring tokens cannot be reused. Conduct regular access reviews and audit logs for unusual behavior. Additionally, educate users about phishing and social engineering risks that could compound the impact of compromised accounts.