The vulnerability stems from the lack of authorization checks when attempting to delete a dataset. Specifically, the application's endpoint for dataset deletion does not verify if the dataset ID provided in the request belongs to the authenticated user or even if the request is authenticated at all. This oversight allows an attacker to delete any dataset by simply knowing its ID.

An attacker first creates a user account on https://app.lunary.ai to understand the project's structure and obtain a valid dataset ID. Then, by crafting a DELETE request to the vulnerable endpoint without an Authorization header, the attacker can delete any dataset, regardless of ownership. This attack does not require the attacker to be authenticated, making it particularly severe.

All users of the lunary-ai/lunary application version 1.2.2 are affected by this vulnerability. Specifically, any user who has datasets stored within the application is at risk of having their data deleted by an unauthenticated attacker.