The vulnerability arises from the application's handling of password reset tokens, which are inadvertently exposed to users with 'viewer' roles under certain conditions. Specifically, when a 'viewer' role user requests the password reset token for another user, the application incorrectly includes the token in the response to the 'viewer' role user. This token can then be used to reset the password of the targeted user account, effectively allowing unauthorized account takeover.

An attacker, having 'viewer' role access, can exploit this vulnerability by first obtaining the email address of a target user (user-A) with higher privileges. The attacker then initiates a password reset request for user-A's account. Subsequently, the attacker crafts a specific request to the application's backend, which mistakenly returns the password reset token for user-A's account. With this token, the attacker can reset user-A's password and gain unauthorized access to their account.

This vulnerability affects all users of the Lunary application version 1.2.2, especially those with elevated privileges whose accounts could be targeted for unauthorized access. Users with 'viewer' role access can exploit this vulnerability to hijack other user accounts, thereby posing a significant security risk to the integrity and confidentiality of the application's data.