9.6

CVE-2024-5386

Exploit

EPSS 0.08%
Veröffentlicht 02.02.2026 10:36:23
Zuletzt bearbeitet 11.02.2026 21:03:48
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role user sends a specific request to the server, which responds with a password reset token in the 'recoveryToken' parameter. This token can then be used to reset the password of another user's account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lunary ≫ Lunary Version < 1.2.14

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.225

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@huntr.dev	9.6	3.1	5.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE-1125 Excessive Attack Surface

The product has an attack surface whose quantitative measurement exceeds a desirable maximum.

https://huntr.com/bounties/602eb4a1-305d-46d6-b975-5a5d8b040ad1

Patch

Third Party Advisory

Exploit

https://github.com/lunary-ai/lunary/commit/fc7ab3d5621c18992da5dab3a2a9a8d227d42311

Broken Link

https://nvd.nist.gov/vuln/detail/CVE-2024-5386

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-5386

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-5386

EUVD