CVE-2024-4147
Unknown Unknown - Not Provided

Insufficient Access Control in Lunary AI Allows Cross-Org Prompt Deletion

Vulnerability report for CVE-2024-4147, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-02

Last updated on: 2026-02-11

Assigner: huntr.dev

Description

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user's project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-02
Last Modified
2026-02-11
Generated
2026-07-06
AI Q&A
2026-02-02
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
lunary lunary to 1.2.25 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1220 The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in lunary-ai/lunary version 1.2.13 is due to insufficient granularity of access control. It allows users to delete prompts created by other organizations by manipulating the prompt ID. The application fails to verify if the prompt belongs to the user's organization or project before allowing deletion, only checking if the user has permission to delete prompts in general. This flaw enables unauthorized deletion of prompts not owned by the user’s organization.

Impact Analysis

The vulnerability can lead to legitimate users being unable to access prompts that have been deleted by unauthorized users from other organizations. This causes information inconsistencies and potential disruption of normal operations relying on those prompts. It may result in loss of important data or resources within the affected application.

Mitigation Strategies

To mitigate this vulnerability, immediately restrict user permissions to ensure that deletion operations verify prompt ownership within the user's organization or project. Implement or enforce access control checks that validate prompt ownership before allowing deletion. Additionally, monitor and audit deletion activities to detect unauthorized prompt removals.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-4147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart