The vulnerability arises from a lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint datasets.delete('/:id', async (ctx: Context) => {...}) directly deletes a dataset based on the ID provided in the URL without verifying if the requester has the appropriate permissions to perform this action. This oversight allows any authenticated or unauthenticated user to delete any dataset by simply knowing or guessing the dataset's ID.

An attacker, by exploiting this vulnerability, could send a DELETE request to the /v1/datasets/{dataset_id} endpoint with the ID of the dataset they wish to delete. Since there are no checks for the user's permissions, the request would result in the deletion of the specified dataset, leading to potential data loss and disruption of service for legitimate users.

All users of lunary-ai/lunary version 1.2.2 are affected by this vulnerability, as any user could have their datasets deleted by an attacker. This includes both authenticated users who rely on the integrity and availability of their datasets and the administrators who maintain the application.