OpenObserve Improper Authorization Vulnerability in User Management Endpoint Allows Admin to Remove Root User

A vulnerability exists in OpenObserve versions prior to 0.14.1, specifically in the user management endpoint '/api/{org_id}/users/{email_id}'. This vulnerability allows an 'Admin' role user to remove a 'Root' user from the organization, violating the intended privilege hierarchy. The issue arises from insufficient role checks in the 'remove_user_from_org' function, which fails to prevent an 'Admin' user from targeting a 'Root' user for removal. Consequently, an 'Admin' user can eliminate critical 'Root' accounts, potentially gaining full control by removing the highest-privileged users.

Impact

Exploitation of this vulnerability allows 'Admin' users to unauthorizedly remove 'Root' users, leading to a loss of administrative control and potential privilege escalation.

Reproduction

To reproduce this vulnerability, log in as a user with 'Admin' privileges. Send a DELETE request to the '/api/{org_id}/users/{email_id}' endpoint, targeting a 'Root' user. The response will confirm the user has been removed from the organization.

Remediation

Users are advised to upgrade to OpenObserve version 0.14.1 or later, where this vulnerability has been patched.