CVE-2024-5386
Password Reset Token Leak in Lunary 1.2.2 Enables Account Hijacking
Publication date: 2026-02-02
Last updated on: 2026-02-11
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lunary | lunary | to 1.2.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1125 | The product has an attack surface whose quantitative measurement exceeds a desirable maximum. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in lunary-ai/lunary version 1.2.2 allows a user with a 'viewer' role to hijack another user's account by exploiting a password reset token leak. When the 'viewer' sends a specific request, the server responds with a password reset token in the 'recoveryToken' parameter, which can then be used to reset the password of another user's account without authorization. This happens because the system exposes an excessive attack surface, enabling lower-privileged users to escalate privileges and take over accounts.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized account takeover, allowing attackers with minimal privileges to reset passwords and gain control over other users' accounts. This can result in loss of data confidentiality and integrity, unauthorized access to sensitive information, and potential disruption of services.