Cyber Resilience

CVE-2024-55954

High

Published: 16 January 2025

Published
16 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0016 36.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55954 is a high-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-55954 is a privilege escalation vulnerability in OpenObserve, a cloud-native observability platform. The issue resides in the user management endpoint `/api/{org_id}/users/{email_id}`, specifically the `DELETE` operation handled by the `remove_user_from_org` function in `src/service/users.rs`. Due to insufficient role checks, an "Admin" role user can remove a "Root" user from the organization, violating the intended privilege hierarchy where Root users hold the highest privileges.

An authenticated attacker with an "Admin" role can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the affected endpoint, the attacker can delete critical "Root" users, potentially achieving effective full control of the organization by eliminating the highest-privileged accounts needed for oversight and recovery.

The OpenObserve security advisory (GHSA-m8gj-6r85-3r6m) confirms the issue has been addressed in release version 0.14.1, and all users are advised to upgrade immediately. No workarounds are available.

EU & UK References

Vulnerability details

OpenObserve is a cloud-native observability platform. A vulnerability in the user management endpoint `/api/{org_id}/users/{email_id}` allows an "Admin" role user to remove a "Root" user from the organization. This violates the intended privilege hierarchy, enabling a non-root user to remove the…

more

highest-privileged account. Due to insufficient role checks, the `remove_user_from_org` function does not prevent an "Admin" user from removing a "Root" user. As a result, an attacker with an "Admin" role can remove critical "Root" users, potentially gaining effective full control by eliminating the highest-privileged accounts. The `DELETE /api/{org_id}/users/{email_id}` endpoint is affected. This issue has been addressed in release version `0.14.1` and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct privilege escalation via insufficient authorization checks on user deletion endpoint, allowing lower-privileged Admin to remove Root accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33377Shared CWE-284, CWE-287
CVE-2026-31836Shared CWE-269, CWE-285
CVE-2026-5141Shared CWE-269, CWE-284
CVE-2026-39386Shared CWE-269, CWE-284
CVE-2026-29124Shared CWE-269
CVE-2025-29922Shared CWE-285
CVE-2026-37526Shared CWE-284
CVE-2026-42823Shared CWE-284
CVE-2026-0912Shared CWE-269
CVE-2025-48645Shared CWE-269

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved role-based authorizations to prevent admins from deleting higher-privileged root users via the user management endpoint.

prevent

Ensures least privilege by restricting admin roles from performing actions like removing root users, upholding privilege hierarchy.

prevent

Manages account lifecycle including restrictions and automation on user removal to mitigate unauthorized deletions of critical root accounts.

References