The vulnerability stems from an improper access control implementation in the lunary platform. Specifically, the endpoint GET /v1/users/me/org did not include a necessary access control check (checkAccess("teamMembers", "read")) to verify if the requesting user has the permission to read team member information. As a result, users assigned the 'Prompt Editor' role, which is intended to have limited access primarily to prompt management and project viewing, were able to retrieve a full list of users within their organization. This exposure of sensitive information could potentially be exploited by malicious actors within an organization to escalate privileges or conduct targeted attacks.

An attacker with access to a 'Prompt Editor' account within the lunary platform could exploit this vulnerability by sending a specially crafted HTTP GET request to the GET /v1/users/me/org endpoint. By including a valid authorization token for the 'Prompt Editor' role in the request headers, the attacker would receive a response containing the full list of users in the organization, including their roles and permissions, despite not having explicit permission to access this information.

The vulnerability specifically affects organizations using lunary version 1.2.5, where users with the 'Prompt Editor' role could gain unauthorized access to sensitive information about other users within the same organization. This could potentially impact the privacy and security of all users within the affected organizations.