Palantir Control Panel User Directory API Improper Authorization Vulnerability

A vulnerability exists in the Palantir Control Panel's User Directory API, specifically in versions prior to 1.1401.0. The issue arises during the pre-registration of users into an enrollment and organization before their first login. While the API correctly verifies that the account requesting user creation has edit permissions on the enrollment-level user directory, it fails to ensure that the enrollment editor has access to the organization being targeted. This oversight can lead to unauthorized user additions within organizations under the same enrollment.

Impact

Exploitation of this vulnerability allows for improper authorization, enabling users to be added to organizations without the necessary permissions, potentially leading to unauthorized access or actions within those organizations.

Remediation

The vulnerability has been addressed by adding a requirement for the requestor to have discover permissions on the organization before allowing pre-registrations. All managed stacks have been upgraded to safe versions. The fix was released with Control Panel version 1.1401.0 and back-ported to supported release channels (versions 1.1395.1, 1.1384.1, 1.1352.5, 1.1346.1).