CVE-2025-9803HIGH 8.8EPSS p32.6%

CVE-2025-9803CVE-2025-9803

Description

lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' (audience) field in the access token issued by Google, which is crucial for ensuring the token is intended for the application. This oversight allows attackers to use tokens issued to malicious applications to gain unauthorized access to user accounts. The issue is resolved in version 1.9.35.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.41% probability of exploitation · percentile 32.6% · 2026-06-19T12:03:05Z
Published2025-11-25
Last modified2025-12-30

Underlying weaknesses· 2

CWE-287CWE-863

References

  1. https://github.com/lunary-ai/lunary/commit/95a2cc8e012bf5f089edbfa072ba66dcb7e10d91
  2. https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6
  3. https://huntr.com/bounties/4734f35f-514c-4d10-98fa-3a54514f6af6

2

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-5352
CVE
Langflow Missing Authentication Vulnerability
CVE
CVE-2026-29198
CVE
CVE-2026-35030
CVE
Twilio Authy Information Disclosure Vulnerability
CVE
CVE-2026-21445
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.