A privilege escalation vulnerability was identified in the workspace management functionality that allows an administrator-level user to delete the workspace owner account, an operation that should be strictly restricted to system-level or super-admin roles only.
Due to missing or improperly enforced role-based access control (RBAC) checks, the application fails to validate whether the requesting user has sufficient privileges to perform owner-level destructive actions. As a result, an admin user can invoke the owner deletion functionality directly, bypassing intended role hierarchy restrictions.
Successfully exploiting this issue enables the attacker to remove the workspace owner, leading to a complete takeover of workspace governance or, in some cases, a permanent lockout scenario where ownership privileges cannot be recovered without backend intervention
Step 1: Login as Admin
Log in to the platform using a valid admin-level account (non-owner).
Step 2: Intercept Member Deletion Request
Navigate to the workspace member management section and initiate the deletion of a regular workspace member.
Intercept the deletion request using a proxy tool such as Burp Suite.
Step 3: Modify Target User Identifier
In the intercepted request, identify the parameter that specifies the target user (e.g., email address).
Replace the regular member’s email address with the workspace owner’s email address.
target_email = owner@victim-domain.com
Step 4: Send the Modified Request
Forward the modified request to the server.
Affected Request
The following request demonstrates the privilege escalation where an admin-level user is able to delete the workspace owner by manipulating the target identifier in the request.
Impact:
High severity due to unauthorized removal of the workspace owner.
Leads to loss of control, denial of access, and potential business disruption.
Bypasses role-based access control, violating principle of least privilege.
