CVE-2024-55954

moderate-risk
Published 2025-01-16

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Do I need to act?

-
0.12% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.7/10 High
NETWORK / LOW complexity

References (2)

https://github.com/gaby/openobserve/blob/main/src/service/users.rs#L631
https://github.com/openobserve/openobserve/security/advisories/GHSA-m8gj-6r85-3r...
36
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal