What is the CVSS score of CVE-2024-10762?

CVE-2024-10762 has a CVSS 3.0 base score of 8.1 (High). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Lunary are affected by CVE-2024-10762?

Organizations using lunary-ai/lunary face notable risk from CVE-2024-10762, a missing authorization vulnerability rated CVSS 8.1.. A patch is available.

Is there a public PoC exploit available for CVE-2024-10762?

Yes, a public proof-of-concept exploit is available for CVE-2024-10762. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2024-10762?

Within 7 days: Identify all affected systems running lunary-ai/lunary and apply vendor patches promptly. Vendor patch is available.

Lunary CVE-2024-10762

HIGH

Missing Authorization (CWE-862)

2025-03-20 security@huntr.dev

Authentication Bypass Lunary

8.1

CVSS 3.0 · NVD

Severity by source

NVD PRIMARY

8.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:32 vuln.today

Patch released

Mar 28, 2026 - 18:32 nvd

Patch available

PoC Detected

Jul 02, 2025 - 19:47 vuln.today

Public exploit code

CVE Published

Mar 20, 2025 - 10:15 nvd

HIGH 8.1

DescriptionCVE.org

In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluators data, causing permanent data loss and potentially hindering operations.

AnalysisAI

In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This vulnerability allows low-privilege users to delete evaluators data, causing permanent data loss and potentially hindering operations. Affected products include: Lunary. Version information: version 1.5.9.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2024-10762 vulnerability details – vuln.today

Back