CVE-2024-9098 is a privilege escalation vulnerability classified under CWE-863 (Incorrect Authorization) affecting lunary-ai/lunary prior to version 1.4.30. The vulnerability arises because the user creation API endpoint does not properly restrict administrators from assigning billing permissions when inviting new users. Normally, billing permissions should be tightly controlled to prevent unauthorized access to sensitive financial resources. However, due to insufficient authorization checks, any user with admin privileges can invite new members and assign them billing roles, effectively escalating their own privileges indirectly. This flaw compromises the principle of least privilege and can lead to unauthorized access to billing data and management functions. The CVSS v3.0 score is 7.3 (high), reflecting network attack vector (remote), low attack complexity, privileges required (admin), user interaction required (inviting users), and high impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations relying on lunary-ai/lunary for managing user roles and billing. The issue was publicly disclosed on March 20, 2025, and requires patching by upgrading to version 1.4.30 or later.

For European organizations, this vulnerability poses a substantial risk to financial data confidentiality and integrity. Unauthorized billing access could lead to fraudulent transactions, financial data leakage, or manipulation of billing records. Organizations in finance, SaaS, and cloud services sectors using lunary-ai/lunary are particularly vulnerable. The ability for admins to escalate privileges undermines internal security controls and could facilitate insider threats or lateral movement by malicious actors. Given the network-exploitable nature and low complexity, attackers with admin access can exploit this vulnerability relatively easily. The financial impact could be significant, including regulatory penalties under GDPR if billing data is compromised. Operational disruption is less likely since availability is not affected, but trust and compliance risks are elevated.

European organizations should immediately upgrade lunary-ai/lunary to version 1.4.30 or later where this vulnerability is fixed. Until patching, restrict admin privileges to only trusted personnel and monitor user creation activities closely for suspicious billing role assignments. Implement additional internal controls such as multi-factor approval workflows for billing permission grants. Audit logs should be reviewed regularly to detect unauthorized privilege escalations. Network segmentation and role-based access controls should be enforced to limit the blast radius of compromised admin accounts. Security teams should also educate admins about the risk of improper user invitations and enforce strict policies on role assignments. Finally, integrate vulnerability scanning and continuous monitoring to detect any attempts to exploit this flaw.