The vulnerability stems from the lack of validation to check if a user, who is issuing a request to change an organization's name, is currently a member of that organization. An attacker could exploit this by using an old session token, which was issued before they were removed from the organization, to authorize a request to change the organization's name. This could lead to unauthorized changes to organization details, potentially causing confusion or misuse of the organization's identity.

An attacker, previously a member of an organization, is removed by an admin. However, the attacker had previously saved their authorization token. Despite their removal, they use this token to send a PATCH request to the organization's endpoint, changing the organization's name without authorization. This is possible because the system does not verify if the user associated with the token is still a member of the organization at the time of the request.

Any organization using lunary-ai/lunary versions up to 1.0.2 could be affected by this vulnerability. Specifically, organizations are at risk from former members who still possess valid session tokens and could exploit this oversight to make unauthorized changes.