Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-3761

CVE-2024-3761: Lunary Auth Bypass Vulnerability

CVE-2024-3761 is an authentication bypass flaw in Lunary that allows unauthenticated users to delete datasets without authorization. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-3761 Overview

CVE-2024-3761 is a missing authorization vulnerability [CWE-862] in lunary-ai/lunary version 1.2.2. The DELETE endpoint at packages/backend/src/api/v1/datasets lacks authentication and authorization controls. Any unauthenticated user can issue a DELETE request to remove datasets from the affected instance. The flaw was reported through Huntr and remediated in Lunary version 1.2.8.

Critical Impact

Unauthenticated attackers can permanently delete datasets over the network, causing data loss and disruption of service for Lunary deployments.

Affected Products

  • lunary-ai/lunary version 1.2.2
  • All lunary:lunary releases prior to 1.2.8
  • Self-hosted Lunary backend exposing the datasets API

Discovery Timeline

  • 2024-05-20 - CVE-2024-3761 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-3761

Vulnerability Analysis

The vulnerability resides in the dataset management routes of the Lunary backend. The DELETE handler under packages/backend/src/api/v1/datasets does not validate the requesting user's session token or project ownership. As a result, the endpoint processes deletion requests without verifying caller identity or permissions. An attacker who can reach the Lunary API over the network can remove arbitrary datasets belonging to any project.

This is a broken access control issue rather than a memory or injection flaw. The attack requires no privileges, no user interaction, and minimal complexity. Lunary is used as an observability and evaluation platform for large language model (LLM) applications, so deleted datasets may include evaluation suites, prompt corpora, and training samples critical to downstream AI workflows.

Root Cause

The root cause is a missing authorization check [CWE-862] on the dataset delete route. The route handler omits the middleware that validates bearer tokens and verifies that the caller has rights over the target dataset. The fix introduced in commit 14078c1d2b8766075bf655f187ece24c7a787776 adds the required authentication and authorization enforcement before deletion proceeds.

Attack Vector

An attacker sends an HTTP DELETE request to the dataset endpoint with a dataset identifier. No Authorization header or session cookie is required. The server returns a successful deletion response and removes the underlying record. The attack is repeatable against any known dataset ID and can be scripted to enumerate and wipe datasets across a deployment.

No verified public exploit code is available. Technical details are documented in the Huntr bounty report and the upstream fix commit.

Detection Methods for CVE-2024-3761

Indicators of Compromise

  • Unexpected DELETE requests to /v1/datasets/* in Lunary backend access logs
  • Dataset records missing from the application without a corresponding administrator action
  • Requests to the datasets API lacking an Authorization header that still return 2xx responses
  • Spikes in deletion activity from a single source IP or anonymous client

Detection Strategies

  • Audit web server and application logs for DELETE verbs against packages/backend/src/api/v1/datasets routes
  • Correlate dataset deletion events with the authenticated user identity expected for that project
  • Alert on any DELETE request to the datasets endpoint that does not carry a valid session or API token

Monitoring Recommendations

  • Enable application-level audit logging for all dataset lifecycle operations
  • Forward Lunary backend logs to a centralized logging or SIEM platform for retention and correlation
  • Track database row counts on dataset tables to detect anomalous bulk removals

How to Mitigate CVE-2024-3761

Immediate Actions Required

  • Upgrade Lunary to version 1.2.8 or later, which contains the authorization fix
  • Restrict network exposure of the Lunary backend to trusted clients only until patched
  • Review backend logs for unauthorized DELETE requests since deployment of version 1.2.2
  • Restore any missing datasets from backup and rotate API tokens after remediation

Patch Information

The fix is committed upstream as lunary-ai/lunary commit 14078c1 and released in version 1.2.8. The patch adds authentication and project-scope authorization checks to the dataset deletion route. Operators running self-hosted Lunary should pull the updated container or source release and redeploy.

Workarounds

  • Place the Lunary backend behind a reverse proxy that requires authentication before forwarding DELETE requests to the datasets API
  • Block external access to the /v1/datasets path at the network edge until the upgrade is applied
  • Maintain frequent database backups of dataset tables to enable recovery if deletion occurs
bash
# Upgrade Lunary to a fixed release
git fetch --tags
git checkout v1.2.8
npm install
npm run build

# Or pin the backend container image to a patched version
# docker pull lunary/lunary-backend:1.2.8

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne