CVE-2025-9803 is a critical security vulnerability classified under CWE-287 (Improper Authentication) affecting lunary-ai/lunary version 1.9.34. The root cause is the application's failure to verify the 'aud' (audience) claim in the Google OAuth access token. The 'aud' field is essential to confirm that the token was issued specifically for the lunary-ai application. Without this verification, an attacker can present a valid access token issued to a malicious or different application and gain unauthorized access to user accounts within lunary-ai. This bypasses the intended authentication mechanism, effectively allowing account takeover. The vulnerability requires no privileges and only user interaction during the OAuth login process, making exploitation feasible in targeted phishing or social engineering attacks. The CVSS v3.0 score is 9.3 (critical), reflecting the high impact on confidentiality and integrity, with no impact on availability. The scope is changed (S:C) because the attacker can access other users' accounts. The issue is resolved in lunary-ai/lunary version 1.9.35 by implementing proper validation of the 'aud' claim in OAuth tokens. No known exploits are reported in the wild yet, but the high severity and ease of exploitation make prompt remediation essential.

For European organizations, this vulnerability poses a significant risk to user account security and data confidentiality. Organizations relying on lunary-ai/lunary for critical business functions or sensitive data management could face unauthorized data access, leading to data breaches, loss of intellectual property, and reputational damage. The improper authentication flaw undermines trust in OAuth-based single sign-on, potentially exposing users to account takeover through token misuse. Attackers could impersonate legitimate users, access confidential communications, or manipulate data, impacting business operations and compliance with GDPR and other data protection regulations. The lack of availability impact means service disruption is unlikely, but the confidentiality and integrity risks are severe. Organizations with extensive cloud integration and Google OAuth usage are particularly vulnerable.

The primary mitigation is to upgrade lunary-ai/lunary to version 1.9.35 or later, where the 'aud' claim verification is correctly implemented. Organizations should audit their OAuth token validation processes to ensure all tokens are verified against the expected audience and issuer fields. Implement additional monitoring for anomalous login patterns and token usage to detect potential misuse. Employ multi-factor authentication (MFA) to reduce the risk of account takeover even if token validation is bypassed. Educate users about phishing risks associated with OAuth login flows. For environments where immediate upgrade is not possible, consider disabling Google OAuth login temporarily or restricting access to trusted IP ranges. Regularly review OAuth client configurations and permissions to minimize attack surface.