CVE-2024-7476 identifies a broken access control vulnerability categorized under CWE-639 in the lunary-ai/lunary software, specifically affecting versions 1.2.7 through 1.4.2. The vulnerability arises because the application fails to properly validate user authorization when processing HTTP POST requests to the /v1/templates/{id}/versions endpoint. An authenticated attacker can craft a request targeting any template ID, thereby modifying templates owned by other users without possessing the necessary permissions. This bypass of access control mechanisms compromises the integrity of user data, as templates can be altered maliciously or erroneously. The vulnerability does not affect confidentiality or availability, as it does not expose data or disrupt service. Exploitation requires authentication but no additional user interaction, making it relatively straightforward for insiders or compromised accounts to abuse. The issue was addressed and fixed in lunary-ai/lunary version 1.4.3 by implementing proper authorization checks to ensure that users can only modify their own templates. There are no reports of active exploitation in the wild, but the vulnerability poses a risk especially in environments where template integrity is critical. The CVSS v3.0 base score is 4.3, reflecting a medium severity level due to the limited impact scope and the requirement for authentication.

For European organizations, the primary impact of CVE-2024-7476 is the potential unauthorized modification of templates within the lunary-ai/lunary platform. This can lead to integrity issues, such as corrupted or maliciously altered templates that may affect downstream processes, AI model training, or automated workflows relying on these templates. While confidentiality and availability remain unaffected, the integrity compromise could result in operational disruptions, loss of trust in AI outputs, or compliance issues if template modifications violate regulatory requirements. Organizations in sectors with high reliance on AI tooling—such as finance, healthcare, and manufacturing—may face increased risks. Additionally, insider threats or compromised credentials could be leveraged to exploit this vulnerability, emphasizing the need for strong identity and access management. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks, especially as the vulnerability is publicly disclosed.

To mitigate CVE-2024-7476, European organizations should immediately upgrade lunary-ai/lunary to version 1.4.3 or later, where the access control flaw is fixed. Until the upgrade is applied, organizations should implement strict monitoring of API endpoints, especially /v1/templates/{id}/versions, to detect anomalous modification attempts. Enforce the principle of least privilege by limiting user permissions to only those necessary for their roles, reducing the risk posed by compromised accounts. Employ multi-factor authentication (MFA) to protect user credentials and reduce the likelihood of unauthorized access. Conduct regular audits of template changes and maintain version control to quickly identify and revert unauthorized modifications. Additionally, implement network segmentation and API gateway controls to restrict access to the lunary-ai/lunary service. Security teams should also educate users about the risks of credential compromise and monitor for suspicious activity related to template management.