In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is protected by a config check (`config.DATA_WAREHOUSE_EXPORTS_ALLOWED`), but it does not verify the user's access level or implement any access control middleware. This vulnerability can lead to the extraction of sensitive data, disruption of services, credential compromise, and service integrity breaches.
                
            Metrics
Affected Vendors & Products
References
        History
                    Wed, 15 Oct 2025 13:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Weaknesses | CWE-285 | 
Wed, 15 Oct 2025 13:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Weaknesses | CWE-862 | 
Tue, 29 Apr 2025 17:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Lunary Lunary lunary | |
| Weaknesses | NVD-CWE-noinfo | |
| CPEs | cpe:2.3:a:lunary:lunary:1.4.28:*:*:*:*:*:*:* | |
| Vendors & Products | Lunary Lunary lunary | |
| Metrics | cvssV3_1 
 | 
Thu, 20 Mar 2025 19:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Thu, 20 Mar 2025 10:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is protected by a config check (`config.DATA_WAREHOUSE_EXPORTS_ALLOWED`), but it does not verify the user's access level or implement any access control middleware. This vulnerability can lead to the extraction of sensitive data, disruption of services, credential compromise, and service integrity breaches. | |
| Title | Improper Authorization in lunary-ai/lunary | |
| Weaknesses | CWE-285 | |
| References |  | |
| Metrics | cvssV3_0 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: @huntr_ai
Published: 2025-03-20T10:08:47.730Z
Updated: 2025-10-15T12:50:45.746Z
Reserved: 2024-09-22T20:03:12.094Z
Link: CVE-2024-9095
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-03-20T17:53:06.827Z
 NVD
                        NVD
                    Status : Modified
Published: 2025-03-20T10:15:46.700
Modified: 2025-10-15T13:15:57.507
Link: CVE-2024-9095
 Redhat
                        Redhat
                    No data.