Unauthorized Access to Org User List by Prompt Editor Role
A vulnerability in lunary version 1.2.5 allowed users with the 'Prompt Editor' role to access the full list of organization users, despite not having explicit permissions to do so. This issue was identified in the endpoint `GET /v1/users/me/org` which lacked proper access control checks. The affected version is 1.2.5, and the issue has been patched in subsequent releases.
Available publicly on May 24 2024
Remediation Steps
- Ensure your lunary platform is updated to the latest version beyond 1.2.5.
- Review and apply proper access control checks to all sensitive endpoints, including
GET /v1/users/me/org. - Conduct a thorough audit of roles and permissions to ensure they are strictly enforced according to the principle of least privilege.
- Consider implementing additional monitoring and logging of access to sensitive information to quickly detect and respond to unauthorized access attempts.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.