CVE-2024-55954

🗓️ 16 Jan 2025 19:30:39Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 68 Views🌐 WEB

OpenObserve vulnerability allows Admin to remove Root user, lacking sufficient role checks.

Reporter	Title	Published	Views	Family All 8
Circl	CVE-2024-55954	16 Jan 202519:36	–	circl
CNNVD	OpenObserve 安全漏洞	16 Jan 202500:00	–	cnnvd
Cvelist	CVE-2024-55954 OpenObserve Improper Authorization Allows Admin User to Remove Root User	16 Jan 202519:30	–	cvelist
EUVD	EUVD-2024-52862	3 Oct 202520:07	–	euvd
NVD	CVE-2024-55954	16 Jan 202520:15	–	nvd
OSV	CVE-2024-55954 OpenObserve Improper Authorization Allows Admin User to Remove Root User	16 Jan 202519:30	–	osv
RedhatCVE	CVE-2024-55954	5 Feb 202500:32	–	redhatcve
Vulnrichment	CVE-2024-55954 OpenObserve Improper Authorization Allows Admin User to Remove Root User	16 Jan 202519:30	–	vulnrichment

Vulners

Node

openobserve openobserveRange<0.14.1

[
  {
    "vendor": "openobserve",
    "product": "openobserve",
    "versions": [
      {
        "version": "< 0.14.1",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/gaby/openobserve/blob/main/src/service/users.rs
github	www.github.com/openobserve/openobserve/security/advisories/GHSA-m8gj-6r85-3r6m

Parameter	Position	Path	Description	CWE
org_id	path	/api/{org_id}/users/{email_id}	DELETE endpoint vulnerable to privilege escalation allowing Admin to remove Root user.	CWE-284, CWE-269, CWE-272, CWE-287, CWE-285
email_id	path	/api/{org_id}/users/{email_id}	DELETE endpoint vulnerable to privilege escalation allowing Admin to remove Root user.	CWE-284, CWE-269, CWE-272, CWE-287, CWE-285

15 Apr 2026 00:35Current

8.4High risk

Vulners AI Score8.4

CVSS 3.18.7

EPSS0.00118

SSVC

cve 2024 55954 openobserve vulnerability improper authorization admin role misuse root user removal user management endpoint high privilege account.