CVE-2024-5386
Unknown Unknown - Not Provided

Password Reset Token Leak in Lunary 1.2.2 Enables Account Hijacking

Vulnerability report for CVE-2024-5386, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-02

Last updated on: 2026-02-11

Assigner: huntr.dev

Description

In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role user sends a specific request to the server, which responds with a password reset token in the 'recoveryToken' parameter. This token can then be used to reset the password of another user's account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-02
Last Modified
2026-02-11
Generated
2026-07-06
AI Q&A
2026-02-02
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
lunary lunary to 1.2.14 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1125 The product has an attack surface whose quantitative measurement exceeds a desirable maximum.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in lunary-ai/lunary version 1.2.2 allows a user with a 'viewer' role to hijack another user's account by exploiting a password reset token leak. When the 'viewer' sends a specific request, the server responds with a password reset token in the 'recoveryToken' parameter, which can then be used to reset the password of another user's account without authorization. This happens because the system exposes an excessive attack surface, enabling lower-privileged users to escalate privileges and take over accounts.

Impact Analysis

This vulnerability can lead to unauthorized account takeover, allowing attackers with minimal privileges to reset passwords and gain control over other users' accounts. This can result in loss of data confidentiality and integrity, unauthorized access to sensitive information, and potential disruption of services.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-5386. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart