CVE-2024-5386
Unknown Unknown - Not Provided
Password Reset Token Leak in Lunary 1.2.2 Enables Account Hijacking

Publication date: 2026-02-02

Last updated on: 2026-02-11

Assigner: huntr.dev

Description
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role user sends a specific request to the server, which responds with a password reset token in the 'recoveryToken' parameter. This token can then be used to reset the password of another user's account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-02
EPSS Evaluated
2026-06-15
NVD
CVE-2024-5386
EUVD
EUVD-2024-55392
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lunary lunary to 1.2.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1125 The product has an attack surface whose quantitative measurement exceeds a desirable maximum.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in lunary-ai/lunary version 1.2.2 allows a user with a 'viewer' role to hijack another user's account by exploiting a password reset token leak. When the 'viewer' sends a specific request, the server responds with a password reset token in the 'recoveryToken' parameter, which can then be used to reset the password of another user's account without authorization. This happens because the system exposes an excessive attack surface, enabling lower-privileged users to escalate privileges and take over accounts.

Impact Analysis

This vulnerability can lead to unauthorized account takeover, allowing attackers with minimal privileges to reset passwords and gain control over other users' accounts. This can result in loss of data confidentiality and integrity, unauthorized access to sensitive information, and potential disruption of services.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-5386. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart