A critical authentication vulnerability exists in the Google OAuth integration for lunary-ai/lunary, allowing for complete account takeover. The software fails to verify that the login token it receives is intended for it, enabling an attacker to use a token from a malicious application to impersonate a user and gain full access to their account. This flaw poses a significant risk of unauthorized data access, modification, and potential system compromise.

The application's Google OAuth implementation does not properly validate the audience (aud) claim within the JSON Web Token (JWT) provided by Google upon user authentication. The aud claim is a critical security feature that specifies the intended recipient of the token. An attacker can create a malicious application, trick a user into authenticating with it via Google, and capture the legitimate access token. Because the vulnerable Lunary application does not check if the token's aud claim matches its own client ID, it will accept this token, granting the attacker a session as the authenticated user.

This vulnerability is rated as critical severity with a CVSS score of 9.3. Successful exploitation leads to a full account takeover, granting the attacker the same privileges as the compromised user. The potential consequences include unauthorized access to and exfiltration of sensitive user or project data, data manipulation, and the ability to perform actions on behalf of the user. This can result in significant reputational damage, loss of customer trust, regulatory penalties, and the compromise of confidential information managed within the application.

Immediate Action: Immediately update all instances of lunary-ai/lunary to the patched version 1.9.35 or later. After patching, it is crucial to review authentication logs for any signs of suspicious activity that may indicate a prior compromise.

Proactive Monitoring: Monitor authentication logs for unusual login patterns, such as multiple failed login attempts followed by a success from a new IP address or geographic location. Scrutinize access logs for accounts exhibiting abnormal behavior post-authentication, such as unusually high data access or changes to account settings. Implement alerts for successful Google OAuth logins originating from unexpected sources.

Compensating Controls: If immediate patching is not feasible, consider temporarily disabling the Google OAuth login feature until the system can be updated. Alternatively, implement a Web Application Firewall (WAF) rule to inspect the incoming JWT during the authentication process and reject any token where the aud claim does not match the application's expected client ID. Enforcing mandatory multi-factor authentication (MFA) on all accounts can add another layer of security, although it may not prevent this specific exploit.

Public Exploit Available: false

Given the critical CVSS score of 9.3 and the high impact of a successful exploit (full account takeover), this vulnerability requires immediate attention. We strongly recommend that organizations identify all instances of the affected software and apply the patch to upgrade to version 1.9.35 without delay. Following the update, a thorough review of access and authentication logs should be conducted to identify any potential historical compromise. Although not currently on the CISA KEV list, the severity of this vulnerability warrants treating it as an urgent priority.