CVE-2024-9096 identifies a missing authorization vulnerability (CWE-862) in the lunary-ai/lunary project management software, specifically in version 1.4.28. The vulnerability exists in the /checklists/:id API endpoint, which accepts PATCH requests to modify checklist data. Due to insufficient access control, low-privilege users associated with a project can modify checklists without restriction, bypassing intended role-based permissions. This includes altering critical fields such as the checklist slug and other data elements, which can disrupt project workflows, corrupt business logic, and introduce errors that compromise data integrity. The vulnerability is exploitable remotely over the network without user interaction, requiring only low privileges (i.e., being a project member). The CVSS 3.0 base score of 7.6 reflects a high severity due to the potential for integrity and availability impacts, ease of exploitation, and the broad scope of affected users within a project. No patches or known exploits are currently reported, but the lack of authorization checks represents a significant security gap. Organizations using lunary-ai/lunary should prioritize reviewing and enforcing strict access controls on API endpoints that modify critical project data to prevent unauthorized modifications.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of project management data. Unauthorized modifications to checklists can disrupt essential workflows, leading to project delays, miscommunication, and potential financial losses. Altered business logic may cause erroneous decisions or actions based on corrupted data. Since lunary-ai/lunary is used for collaborative project management, the vulnerability could allow insider threats or compromised low-privilege accounts to escalate their impact without detection. This undermines trust in the software and may affect compliance with data integrity and security regulations such as GDPR if project data includes personal or sensitive information. The operational impact could extend to critical infrastructure projects, software development, and other sectors relying on accurate project tracking and management. The ease of exploitation and network accessibility increase the urgency for mitigation in environments where lunary-ai/lunary is deployed.

1. Implement strict role-based access control (RBAC) on the /checklists/:id PATCH endpoint to ensure only authorized users (e.g., project owners, admins) can modify checklists. 2. Conduct a thorough audit of all API endpoints to verify proper authorization checks are in place. 3. Apply any available patches or updates from lunary-ai addressing this vulnerability as soon as they are released. 4. Introduce monitoring and alerting for unusual checklist modification activities, especially from low-privilege accounts. 5. Educate project members about the risks of unauthorized changes and enforce the principle of least privilege in user roles. 6. Consider implementing additional application-layer security controls such as input validation and change approval workflows for critical project data. 7. Regularly review and update access policies to adapt to organizational changes and emerging threats.