The core of this vulnerability lies in the lack of backend validation for user roles and permissions during the invitation process. Specifically, the system failed to verify if the inviting user was on a Paid or Enterprise plan before allowing them to assign roles exclusive to these plans. Additionally, the signup process did not validate if the organization belonged to a user who had paid for a plan, allowing users to join projects under Free plan accounts with roles they should not have access to.

An attacker, using a Free plan account, could exploit this vulnerability by directly sending a crafted POST request to the server, bypassing the UI restrictions that prevent Free plan users from sending invitations. The request would include an unauthorized role assignment for the invitee. Once the invitee accepts the invitation through a link sent via email, they could join the project with elevated privileges not intended for Free plan users.

This vulnerability affects all users of the lunary-ai/lunary platform, particularly those on Free plans. It undermines the integrity of the platform's access control and role assignment mechanisms, potentially allowing unauthorized users to gain access to functionalities and data reserved for Paid or Enterprise plans.