Vulnerability Database

315,363

Total vulnerabilities in the database

CVE-2024-5133

In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the GET /v1/users/me/org endpoint, which lists all users in a team. This allows any authenticated user to capture the recovery token of another user and subsequently change that user's password without consent, effectively taking over the account. The issue lies in the inclusion of the recovery_token attribute in the users object returned by the API.

Published: Jun 6, 2024
Updated: Nov 16, 2025
CVE: CVE-2024-5133
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
lunary / lunary	-	1.2.14

https://huntr.com/bounties/6057598d-93c4-4a94-bb80-5bd508013c5b

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo