OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint /api/{org_id}/users/{email_id} allows an Admin role user to remove a Root user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the highest-privileged account. Due to insufficient role checks, the remove_user_from_org function does not prevent an Admin user from removing a Root user. As a result, an attacker with an Admin role can remove critical Root users, potentially gaining effective full control by eliminating the highest-privileged accounts. The DELETE /api/{org_id}/users/{email_id} endpoint is affected. This issue has been addressed in release version 0.14.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.