📄 Description (English)
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role user sends a specific request to the server, which responds with a password reset token in the 'recoveryToken' parameter. This token can then be used to reset the password of another user's account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts.
🤖 AI Executive Summary
CVE-2024-5386 is a critical account hijacking vulnerability in Lunary AI v1.2.2 that allows low-privileged 'viewer' role users to obtain password reset tokens and take over other user accounts. The vulnerability stems from improper access controls that expose sensitive recovery tokens in API responses, enabling privilege escalation and unauthorized account takeover. With an 8.8 CVSS score and publicly available exploits, this poses an immediate threat to organizations using Lunary for AI monitoring and logging. Immediate patching is essential to prevent account compromise and unauthorized access to sensitive AI/ML operations data.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 04:01
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations leveraging Lunary AI for AI/ML monitoring—particularly in financial services (banking sector under SAMA oversight), government agencies (NCA, NCSC), healthcare institutions, and energy sector operations—face significant risk. The vulnerability enables account takeover of administrative and analyst accounts, potentially exposing sensitive AI model configurations, training data, and operational logs. For SAMA-regulated financial institutions using Lunary for transaction monitoring and fraud detection AI systems, this could compromise audit trails and regulatory compliance. Government entities using AI for citizen services and security operations face data exfiltration risks. The privilege escalation mechanism is particularly dangerous in multi-tenant SaaS deployments common in Saudi enterprise environments.
🏢 Affected Saudi Sectors
Banking and Financial Services (SAMA-regulated institutions)
Government and Public Administration (NCA, NCSC, ministries)
Healthcare (hospitals, clinics using AI for diagnostics)
Energy and Utilities (ARAMCO, power generation facilities)
Telecommunications (STC, Mobily, Zain)
Insurance and Asset Management
E-commerce and Retail
Education and Research Institutions
🎯 MITRE ATT&CK Techniques
T1078 - Valid Accounts (account hijacking via token)
T1110 - Brute Force (password reset token exploitation)
T1556 - Modify Authentication Process (unauthorized password reset)
T1098 - Account Manipulation (privilege escalation)
T1190 - Exploit Public-Facing Application (API endpoint exploitation)
T1021 - Remote Services (unauthorized account access)
T1087 - Account Discovery (enumeration of user accounts)
T1040 - Network Sniffing (token interception potential)
⚖️ Saudi Risk Score (AI)
8.9
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Lunary instances running version 1.2.2 or earlier in your environment
2. Restrict API access to Lunary endpoints from trusted networks only using firewall/WAF rules
3. Audit all user accounts for unauthorized password changes and suspicious login activity in the past 30 days
4. Force password reset for all users, especially those with administrative or sensitive data access
5. Review and revoke any active sessions for accounts with 'viewer' role
PATCHING GUIDANCE:
1. Upgrade Lunary to version 1.2.3 or later immediately (patch is available)
2. Test patch in non-production environment first to ensure compatibility with existing integrations
3. Apply patch during maintenance window with rollback plan prepared
4. Verify patch effectiveness by confirming 'viewer' role users cannot access recovery tokens
COMPENSATING CONTROLS (if immediate patching delayed):
1. Implement API rate limiting on password reset endpoints (max 5 requests per user per hour)
2. Deploy WAF rules to block requests containing 'recoveryToken' parameter exposure
3. Enable multi-factor authentication (MFA) for all Lunary user accounts
4. Implement IP whitelisting for administrative accounts
5. Monitor API logs for suspicious token requests from 'viewer' role accounts
DETECTION RULES:
1. Alert on any API requests from 'viewer' role accounts accessing password reset endpoints
2. Monitor for multiple failed password reset attempts from single IP address
3. Flag successful password changes without corresponding MFA verification
4. Detect 'recoveryToken' parameter in API responses to non-admin users
5. Alert on privilege escalation attempts (viewer → admin role changes)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع مثيلات Lunary التي تعمل بالإصدار 1.2.2 أو أقدم في بيئتك
2. تقييد الوصول إلى واجهة برمجية التطبيقات لنقاط نهاية Lunary من الشبكات الموثوقة فقط باستخدام قواعد جدار الحماية/WAF
3. تدقيق جميع حسابات المستخدمين للتحقق من تغييرات كلمات المرور غير المصرح بها والنشاط المريب في آخر 30 يوماً
4. فرض إعادة تعيين كلمة المرور لجميع المستخدمين، خاصة أولئك الذين لديهم وصول إلى البيانات الحساسة والإدارية
5. مراجعة وإلغاء أي جلسات نشطة لحسابات بدور 'المشاهد'
إرشادات التصحيح:
1. ترقية Lunary إلى الإصدار 1.2.3 أو أحدث على الفور (التصحيح متاح)
2. اختبار التصحيح في بيئة غير الإنتاج أولاً للتأكد من التوافق مع التكاملات الموجودة
3. تطبيق التصحيح أثناء نافذة الصيانة مع تحضير خطة الرجوع
4. التحقق من فعالية التصحيح بتأكيد عدم تمكن مستخدمي دور 'المشاهد' من الوصول إلى رموز الاسترجاع
الضوابط البديلة (إذا تأخر التصحيح الفوري):
1. تطبيق تحديد معدل واجهة برمجية التطبيقات على نقاط نهاية إعادة تعيين كلمة المرور (5 طلبات كحد أقصى لكل مستخدم في الساعة)
2. نشر قواعد WAF لحظر الطلبات التي تحتوي على كشف معامل 'recoveryToken'
3. تفعيل المصادقة متعددة العوامل (MFA) لجميع حسابات مستخدمي Lunary
4. تطبيق القائمة البيضاء للعناوين الخاصة بحسابات المسؤولين
5. مراقبة سجلات واجهة برمجية التطبيقات للطلبات المريبة للرموز من حسابات دور 'المشاهد'
قواعد الكشف:
1. تنبيه على أي طلبات واجهة برمجية تطبيقات من حسابات دور 'المشاهد' تصل إلى نقاط نهاية إعادة تعيين كلمة المرور
2. مراقبة محاولات إعادة تعيين كلمة المرور الفاشلة المتعددة من عنوان IP واحد
3. وضع علامة على تغييرات كلمات المرور الناجحة بدون التحقق المقابل من MFA
4. كشف معامل 'recoveryToken' في استجابات واجهة برمجية التطبيقات للمستخدمين غير الإداريين
5. تنبيه على محاولات تصعيد الامتيازات (المشاهد → تغييرات دور المسؤول)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy (improper role-based access control)
ECC 2024 A.5.2.1 - User Registration and Access Rights Management (privilege escalation)
ECC 2024 A.5.3.1 - Password Management (token exposure and unauthorized reset)
ECC 2024 A.7.2.1 - Information Access Audit (inadequate access controls)
ECC 2024 A.9.2.1 - User Access Management (role-based access violation)
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management (inventory of Lunary instances)
SAMA CSF PR.AC-1 - Access Control Policy (role-based access enforcement)
SAMA CSF PR.AC-4 - Access Rights (privilege escalation prevention)
SAMA CSF DE.CM-1 - Detection Processes (monitoring unauthorized access attempts)
SAMA CSF RS.MI-2 - Incident Response (account takeover response procedures)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - Information Security Policies (access control policy)
ISO 27001:2022 A.6.2 - Internal Organization (role-based responsibilities)
ISO 27001:2022 A.8.2 - Asset Management (inventory and classification)
ISO 27001:2022 A.9.1 - Access Control (user access management)
ISO 27001:2022 A.9.2 - User Access Management (privilege management)
ISO 27001:2022 A.9.4 - Access Rights Review (periodic access review)
ISO 27001:2022 A.13.1 - Incident Management (detection and response)
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Default Passwords (account security)
PCI DSS 6.5.10 - Broken Authentication (token exposure vulnerability)
PCI DSS 7.1 - Access Control (role-based access enforcement)
PCI DSS 8.1 - User Identification (account management)
PCI DSS 10.2 - Audit Logging (monitoring unauthorized access)
📦 Affected Products / CPE 1 entries
lunary:lunary