CVE-2024-8999 is an improper access control vulnerability (CWE-862) identified in lunary-ai/lunary version v1.4.25. The vulnerability exists in the POST /api/v1/data-warehouse/bigquery endpoint, which is designed to export data streams to Google BigQuery. Due to missing authorization checks, any unauthenticated user can invoke this endpoint to export the entire database contents without restriction. This means an attacker can exfiltrate sensitive data at will, compromising confidentiality. Additionally, the lack of integrity and availability controls means attackers could potentially disrupt or manipulate data exports. The vulnerability is remotely exploitable over the network without any privileges or user interaction, contributing to its high CVSS score of 9.8. The issue was publicly disclosed on March 20, 2025, and fixed in lunary-ai/lunary version 1.4.26. No public exploits have been reported yet, but the critical nature of the flaw demands immediate attention. The vulnerability affects all deployments running the vulnerable version, especially those exposing the API endpoint to untrusted networks.

For European organizations, this vulnerability poses a severe risk of data breach and loss of data integrity. Organizations using lunary-ai/lunary for data warehousing and analytics could suffer significant exposure of sensitive business, customer, or personal data if exploited. This could lead to regulatory penalties under GDPR due to unauthorized data disclosure. The ability to export entire databases without authentication also risks intellectual property theft and competitive disadvantage. Furthermore, attackers could disrupt normal data operations by manipulating or deleting data streams, impacting business continuity. The critical severity and ease of exploitation mean that any exposed lunary-ai/lunary instance is a high-value target for attackers, including cybercriminals and state-sponsored actors. The reputational damage and financial losses from such a breach could be substantial.

1. Immediately upgrade all lunary-ai/lunary deployments to version 1.4.26 or later, where the vulnerability is fixed. 2. Restrict network access to the /api/v1/data-warehouse/bigquery endpoint using firewalls or API gateways to allow only trusted internal systems. 3. Implement strong authentication and authorization controls on all API endpoints, especially those handling sensitive data exports. 4. Monitor logs and network traffic for unusual or unauthorized BigQuery export attempts. 5. Conduct a thorough audit of data access and export activities to detect any prior exploitation. 6. Employ data loss prevention (DLP) solutions to detect and block unauthorized data exfiltration. 7. Educate development and operations teams about secure API design and the importance of access control. 8. If immediate patching is not possible, consider temporarily disabling the vulnerable endpoint or isolating the affected systems from untrusted networks.