anonhaven
Ad

CVE-2024-55954

HIGH CVSS 3.1: 8.7 EPSS 0.12%
Updated Jan 16, 2025
Openobserve
Parameter Value
CVSS 8.7 (HIGH)
Type CWE-285 (Improper Authorization), CWE-284 (Improper Access Control), CWE-287 (Improper Authentication), CWE-272, CWE-269 (Improper Privilege Management)
Vendor Openobserve
Public PoC No

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account.

Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected.

This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-285 Improper Authorization
CWE-284 Improper Access Control
CWE-287 Improper Authentication
CWE-272
CWE-269 Improper Privilege Management

References 2

https://github.com/gaby/openobserve/blob/main/src/service/users.rs#L631
security-advisories@github.com
https://github.com/openobserve/openobserve/security/advisories/GHSA-m8gj-6r85-3…
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-39361

Openobserve

7.7