OpenObserve Invitation Token Mismanagement Vulnerability Allowing Privilege Escalation

A vulnerability exists in OpenObserve versions prior to 0.16.0, where organization invitation tokens do not expire, remain valid after a user is removed, and allow multiple simultaneous invitations to the same email with different roles. This mismanagement of invitation tokens creates a broken access control scenario, enabling removed or demoted users to regain access or escalate privileges.

Impact

Exploitation of this vulnerability could lead to unauthorized access and privilege escalation, allowing a user to regain access or elevated rights after being removed or demoted.

Reproduction

To reproduce this vulnerability, an organization admin can invite a user twice to the same email address, once as an Admin and once as a User. After the user accepts the User invitation and is later removed from the organization, they can reuse the still-valid Admin invitation link to rejoin with Admin privileges, bypassing the removal.

Remediation

Users are advised to update to OpenObserve version 0.16.0 or later. Invitation tokens should be configured to expire after use, invalidate previous tokens when a new invite is issued, and be revoked when a user is removed from an organization.