CVE-2024-55954

HIGH

OpenObserve < 0.14.1 - Authenticated Privilege Escalation via User Removal Endpoint

Title source: llm

Description

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/openobserve/openobserve/security/advisories/GHSA-m8gj-6r85-3r6m

Various Sources x_refsource_misc

https://github.com/gaby/openobserve/blob/main/src/service/users.rs#L631

View Writeup ZIP pw:eip

Scores

CVSS v3 8.7

EPSS 0.0049

EPSS Percentile 38.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-269 CWE-272 CWE-284 CWE-285 CWE-287

Status published

Products (1)

openobserve/openobserve < 0.14.1

Published Jan 16, 2025

Tracked Since Feb 18, 2026