CVE-2024-24830 in OpenObserve
Summary
by MITRE • 02/09/2024
OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2025
The vulnerability identified as CVE-2024-24830 affects OpenObserve, a comprehensive observability platform designed for handling massive-scale log, metric, and trace data. This platform serves organizations requiring robust monitoring capabilities across petabyte-sized datasets, making its security paramount for enterprise environments. The flaw manifests within the application's user management functionality, specifically targeting the "/api/{org_id}/users" endpoint that governs user creation and privilege assignment within organizational contexts.
The technical implementation of this vulnerability stems from insufficient validation within the user creation payload processing mechanism. When authenticated regular users attempt to create new accounts through the API endpoint, the system fails to properly validate the role attributes submitted in the request payload. This validation gap allows malicious actors with member-level privileges to manipulate the role assignment parameters and elevate newly created users to the highest administrative level, designated as 'root' role. The absence of proper access control checks during the user creation process represents a critical failure in the platform's privilege management architecture, directly violating fundamental security principles of least privilege and role-based access control.
The operational impact of this vulnerability extends beyond simple privilege escalation, fundamentally compromising the entire security posture of the observability platform. An authenticated member user can now effectively assume complete administrative control over their organization's data and resources by creating accounts with root privileges. This capability enables unauthorized access to sensitive monitoring data, potential data exfiltration, system configuration modifications, and complete control over the observability platform's operational parameters. The vulnerability affects all organizational members who have access to the user creation functionality, creating a significant risk for organizations relying on OpenObserve for critical infrastructure monitoring and security operations.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-276, which addresses improper privileges, and represents a clear violation of the principle of least privilege. The issue also maps to ATT&CK technique T1078.004, which covers valid accounts with elevated privileges, as the vulnerability allows for the creation of accounts with root-level access. Organizations using OpenObserve must immediately implement the remediation provided in version 0.8.0, which addresses the payload validation issue and enforces proper role assignment controls. The vulnerability's severity is compounded by the fact that no workarounds exist, meaning organizations cannot mitigate the risk without upgrading their software version. Security teams should conduct immediate assessments of their OpenObserve deployments to identify any potential exploitation attempts and implement monitoring for unauthorized user creation activities. The incident underscores the critical importance of proper input validation and access control mechanisms in multi-tenant applications where privilege escalation can have widespread consequences across organizational data environments.