CVE-2024-2035 identifies a missing authorization control vulnerability (CWE-862) in the zenml-io/zenml open-source machine learning operations platform. The vulnerability resides in the API endpoint PUT /api/v1/users/id, which allows authenticated users to modify user records without proper permission checks. Specifically, any authenticated user can alter other users' data, including toggling the 'active' status field to false, effectively deactivating accounts. This can be exploited to disable administrator accounts, leading to denial of service for legitimate admins and potential disruption of the platform's management and security functions. The flaw affects zenml-io/zenml version 0.55.3 and was addressed in version 0.56.2 by introducing proper authorization validation to ensure only authorized users can modify user data. The CVSS 3.0 base score of 6.5 reflects a medium severity, with network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity and availability impacts. No known exploits are reported in the wild as of the publication date. This vulnerability highlights the critical need for robust access control in APIs managing user accounts.

For European organizations using zenml-io/zenml, this vulnerability poses a significant risk to operational continuity and security governance. By allowing authenticated users to deactivate admin accounts, attackers can disrupt administrative control, potentially halting critical machine learning workflows and data pipelines. This can lead to downtime, delayed projects, and increased recovery costs. The integrity of user management is compromised, increasing the risk of insider threats or privilege abuse. Availability is also impacted as essential administrative functions may become inaccessible. Organizations in sectors relying heavily on ML operations—such as finance, healthcare, and manufacturing—may face compliance and operational risks. The absence of confidentiality impact reduces data leakage concerns, but the disruption potential remains high. Given the medium CVSS score and the requirement for authentication, the threat is moderate but should not be underestimated in environments with multiple users and critical admin roles.

1. Upgrade zenml-io/zenml installations to version 0.56.2 or later immediately to apply the official patch that enforces proper authorization checks. 2. Implement strict role-based access control (RBAC) policies to restrict user modification capabilities only to authorized administrators. 3. Audit existing user accounts and monitor for unusual deactivation activities, especially targeting admin accounts. 4. Employ API gateway or web application firewall (WAF) rules to detect and block unauthorized attempts to modify user data. 5. Conduct regular security reviews of API endpoints to ensure authorization logic is correctly implemented and tested. 6. Educate users about the importance of safeguarding credentials, as exploitation requires authenticated access. 7. Consider implementing multi-factor authentication (MFA) to reduce the risk of compromised credentials enabling exploitation. 8. Maintain detailed logs of user management actions to facilitate incident response and forensic analysis.