Scan free
HIGHCVE-2024-55954CVSS 8.7

CVE-2024-55954: Privilege Escalation in OpenObserve

Platform

go

Component

openobserve

Fixed in

0.14.2

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2024-55954 describes a privilege escalation vulnerability in OpenObserve, a cloud-native observability platform. This flaw allows a user with the "Admin" role to remove a "Root" user from an organization, effectively bypassing intended access controls. The vulnerability impacts versions of OpenObserve up to and including 0.14.0, and a fix is available in version 0.14.1.

Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Upload go.mod

Impact and Attack Scenarios

The impact of CVE-2024-55954 is significant. An attacker who has gained "Admin" privileges within an OpenObserve organization can exploit this vulnerability to remove the "Root" user, which holds the highest level of access. By eliminating the Root user, the attacker can effectively gain full control over the organization's OpenObserve instance, potentially leading to data breaches, unauthorized modifications, and disruption of observability services. This vulnerability presents a serious risk to organizations relying on OpenObserve for monitoring and troubleshooting.

Exploitation Context

CVE-2024-55954 was publicly disclosed on January 16, 2025. Currently, there are no publicly available proof-of-concept exploits. The vulnerability's severity (CVSS 8.7) and the potential for complete control over the OpenObserve instance suggest a medium probability of exploitation, particularly if the platform is widely deployed and Admin accounts lack robust security practices. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.12% (31% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N8.7HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentopenobserve
Vendoropenobserve
Affected rangeFixed in
< 0.14.1 – < 0.14.10.14.2

Weakness Classification (CWE)

CWE-269CWE-272CWE-284CWE-285CWE-287

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-55954 is to upgrade OpenObserve to version 0.14.1 or later, which includes the necessary privilege check fixes. If immediate upgrading is not possible, consider implementing stricter role-based access controls within OpenObserve to limit the potential impact of a compromised Admin account. Review existing user permissions and ensure that the principle of least privilege is enforced. While a direct WAF rule is unlikely to be effective, monitoring for unusual user removal activity within the OpenObserve API logs can provide early warning signs of exploitation.

How to fix

Update OpenObserve to version 0.14.1 or higher. This version corrects the vulnerability that allows users with the 'Admin' role to remove 'Root' users. The update prevents privilege escalation and unauthorized full control of the system.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-55954 — Privilege Escalation in OpenObserve?

CVE-2024-55954 is a vulnerability in OpenObserve versions ≤0.14.0 that allows an Admin user to remove a Root user, bypassing privilege checks and potentially gaining full control.

Am I affected by CVE-2024-55954 in OpenObserve?

You are affected if you are running OpenObserve versions 0.14.0 or earlier. Assess your deployment and upgrade as soon as possible.

How do I fix CVE-2024-55954 in OpenObserve?

Upgrade OpenObserve to version 0.14.1 or later to remediate the vulnerability. Review and strengthen your role-based access controls.

Is CVE-2024-55954 being actively exploited?

Currently, there are no publicly known active exploits for CVE-2024-55954, but the vulnerability's severity warrants proactive mitigation.

Where can I find the official OpenObserve advisory for CVE-2024-55954?

Refer to the OpenObserve security advisory for detailed information and mitigation guidance: [https://github.com/openobserve/openobserve/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory link when available)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs