A high-severity Insecure Direct Object Reference (IDOR) vulnerability has been discovered in the Lunary API, a component within Insecure's product line. This flaw allows an authenticated attacker to unauthorizedly access and modify data templates belonging to other users, potentially leading to data corruption, information disclosure, and service disruption. Organizations are urged to apply vendor-supplied security updates immediately to mitigate this risk.

The vulnerability exists in the POST /v1/templates API endpoint. The application fails to properly verify that the user making the request is authorized to modify the template specified in the request body. An authenticated attacker can craft a malicious request, changing the object identifier (e.g., template_id) to a value corresponding to a template owned by another user or organization. By submitting this request, the attacker can overwrite, alter, or delete templates they do not own, leading to a breach of data confidentiality and integrity.

This vulnerability is rated as High severity with a CVSS score of 7.7. Exploitation could have a significant business impact, including unauthorized modification of critical business data stored within templates, potentially leading to service degradation or failure. If templates contain sensitive or proprietary information, this flaw could result in a data breach, exposing confidential data to unauthorized parties. Successful exploitation could lead to reputational damage, loss of customer trust, and potential regulatory penalties depending on the data compromised.

Immediate Action: Apply vendor security updates immediately across all affected systems. After patching, it is critical to review access logs for any evidence of past exploitation attempts targeting the vulnerable endpoint.

Proactive Monitoring: Security teams should actively monitor logs for the POST /v1/templates endpoint. Specifically, look for patterns where a single authenticated user attempts to modify a wide range of template IDs in a short period. Correlate user session information with the ownership of the targeted template IDs to detect unauthorized access attempts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to inspect and block requests to the /v1/templates endpoint that appear malicious. Additionally, consider implementing stricter API gateway policies that enforce object-level authorization checks before requests are passed to the application backend.

Public Exploit Available: false

Given the High severity rating (CVSS 7.7) and the direct risk to data integrity and confidentiality, it is imperative that organizations prioritize the deployment of the vendor-provided security patches. Although this vulnerability is not currently listed on the CISA KEV catalog, its potential for causing significant damage warrants immediate attention. We recommend a "patch and monitor" approach: apply the updates without delay and conduct a thorough review of historical logs to identify any potential compromise that may have occurred prior to remediation.