CVE-2024-4147
Unknown Unknown - Not Provided
Insufficient Access Control in Lunary AI Allows Cross-Org Prompt Deletion

Publication date: 2026-02-02

Last updated on: 2026-02-11

Assigner: huntr.dev

Description
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user's project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-02
EPSS Evaluated
2026-06-15
NVD
CVE-2024-4147
EUVD
EUVD-2024-32706
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lunary lunary to 1.2.25 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1220 The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in lunary-ai/lunary version 1.2.13 is due to insufficient granularity of access control. It allows users to delete prompts created by other organizations by manipulating the prompt ID. The application fails to verify if the prompt belongs to the user's organization or project before allowing deletion, only checking if the user has permission to delete prompts in general. This flaw enables unauthorized deletion of prompts not owned by the user’s organization.

Impact Analysis

The vulnerability can lead to legitimate users being unable to access prompts that have been deleted by unauthorized users from other organizations. This causes information inconsistencies and potential disruption of normal operations relying on those prompts. It may result in loss of important data or resources within the affected application.

Mitigation Strategies

To mitigate this vulnerability, immediately restrict user permissions to ensure that deletion operations verify prompt ownership within the user's organization or project. Implement or enforce access control checks that validate prompt ownership before allowing deletion. Additionally, monitor and audit deletion activities to detect unauthorized prompt removals.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-4147. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart