CVE-2024-9095 is a critical authorization bypass vulnerability identified in lunary-ai/lunary version v1.4.28. The issue lies in the /bigquery API route, which is intended to allow exporting data to Google BigQuery. While the route is protected by a configuration flag (`config.DATA_WAREHOUSE_EXPORTS_ALLOWED`), it lacks any verification of the user's authorization level or the implementation of access control middleware. Consequently, any authenticated user can invoke this endpoint to create a Datastream to Google BigQuery and export the entire database contents. This includes highly sensitive information such as password hashes and secret API keys, which could be leveraged for further attacks or unauthorized access. The vulnerability is classified under CWE-862 (Missing Authorization), highlighting the absence of proper access control checks. The CVSS 3.0 score of 9.8 reflects the critical nature of this flaw, with an attack vector over the network, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the ease of exploitation and the severity of potential damage make this a significant threat. The vulnerability affects all unspecified versions of lunary-ai/lunary up to and including v1.4.28. Without a patch currently available, organizations must urgently implement compensating controls to prevent unauthorized data exfiltration.

For European organizations, this vulnerability poses a severe risk of data breaches involving sensitive personal and corporate data, including password hashes and API keys. Exploitation could lead to unauthorized access to internal systems, credential theft, and lateral movement within networks. The exposure of secret API keys can compromise other integrated services, amplifying the attack surface. Data integrity and availability may also be affected if attackers manipulate or disrupt the export process. Organizations subject to GDPR and other data protection regulations face potential legal and financial consequences due to unauthorized data disclosure. The critical severity and network-based exploitability mean that attackers can remotely compromise systems without user interaction, increasing the likelihood of widespread impact. This threat is particularly concerning for sectors handling sensitive or regulated data, such as finance, healthcare, and government entities in Europe.

1. Immediately restrict access to the /bigquery API endpoint by implementing strict role-based access control (RBAC) or attribute-based access control (ABAC) to ensure only authorized administrators can initiate data exports. 2. Introduce access control middleware that verifies user permissions before processing export requests. 3. Disable the `config.DATA_WAREHOUSE_EXPORTS_ALLOWED` flag if data exports are not essential or restrict it to trusted environments only. 4. Monitor and audit all data export activities, especially those involving BigQuery, to detect anomalous or unauthorized usage. 5. Rotate all potentially exposed credentials, including API keys and passwords, following any suspected exploitation. 6. Apply network segmentation to limit the exposure of the lunary-ai/lunary service to trusted internal users only. 7. Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 8. Conduct regular security assessments and penetration testing focusing on authorization controls within the application.