The core of this vulnerability lies in the improper invalidation of authorization tokens upon a user's removal from an organization. Typically, when a user is removed from an organization, their access to resources within that organization should be revoked immediately. However, due to a flaw in the lunary application, the old authorization tokens were not invalidated, allowing the removed user to continue accessing and manipulating project templates. This oversight could lead to unauthorized access and modification of sensitive data, posing significant security risks.

An attacker, previously a member of an organization within the lunary application, is removed from the organization but retains their old authorization token. The attacker then uses this token to send HTTP requests to the lunary web application, performing actions such as reading, creating, editing, and deleting prompt templates within the project they were removed from. This scenario assumes the attacker has knowledge of the HTTP request structure and possesses a valid, though supposedly invalidated, authorization token.

This vulnerability affects any users who have been removed from an organization within the lunary application but still possess their old authorization tokens. It also impacts the security posture of the organizations from which these users have been removed, as it allows for unauthorized access and manipulation of their data.