huntr.dev AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

huntr.dev CWE-770

lunary-ai/lunary version 0.3.0 is vulnerable to unauthorized project creation due to insufficient server-side validation of user account types during project creation. In the free account tier, users are limited to creating only two projects. However, this restriction is enforced only in the web UI and not on the server side, allowing users to bypass the limitation and create an unlimited number of projects without upgrading their account or incurring additional charges. This vulnerability is due to the lack of checks in the project creation endpoint.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

huntr.dev https://github.com/lunary-ai/lunary/commit/48d66a3deef8788fda7621e88f0e3a8a4a1ddeb9

huntr.dev https://huntr.com/bounties/f1f9e9d6-de5f-48c4-b4f4-fbd192370417