2025-03-20 10:10:37
@huntr_ai
PUBLISHED
In lunary-ai/lunary, the privilege check mechanism is flawed in version git afc5df4. The system incorrectly identifies certain endpoints as public if the path contains /auth/ anywhere within it. This allows unauthenticated attackers to access sensitive endpoints by including /auth/ in the path. As a result, attackers can obtain and modify sensitive data and utilize other organizations resources without proper authentication.