CVE-2024-2035 is classified under CWE-862 (Missing Authorization) and exists in the zenml-io/zenml repository, specifically in the API endpoint PUT /api/v1/users/id. The vulnerability allows any authenticated user to bypass proper authorization checks and modify other users' account information. This includes the ability to change the 'active' status of user accounts to false, effectively deactivating them. Such unauthorized modifications can disrupt the application's normal operations, particularly if administrative accounts are targeted and deactivated, potentially locking out legitimate administrators and impacting system management and security. The vulnerability affects version 0.55.3 of zenml-io/zenml and was addressed in version 0.56.2. The CVSS v3.0 score is 6.5, reflecting a medium severity level with network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity and availability impacts. No public exploits have been reported to date. The issue arises from missing or insufficient authorization controls on a critical user management API endpoint, allowing privilege escalation through manipulation of user account states.

For European organizations using zenml-io/zenml version 0.55.3 or earlier, this vulnerability poses a significant risk to operational continuity and security. Unauthorized deactivation of user accounts, especially those with administrative privileges, can lead to denial of service for legitimate users and administrators, disrupting workflows and potentially halting critical data science or machine learning pipelines managed by zenml. The integrity of user management is compromised, allowing malicious insiders or compromised accounts to escalate their influence by disabling other users. This can also lead to reduced availability of the service and increased risk of further exploitation if administrative oversight is lost. Organizations relying on zenml for production environments or sensitive data processing may face operational delays, increased incident response costs, and potential compliance issues if access controls are circumvented.

European organizations should immediately verify their zenml-io/zenml deployment versions and upgrade to version 0.56.2 or later where the vulnerability is patched. In addition to upgrading, organizations should implement strict access controls and audit logging around user management APIs to detect and prevent unauthorized modifications. Employ role-based access control (RBAC) to limit which authenticated users can modify user accounts, especially administrative ones. Conduct regular reviews of user account statuses and monitor for unusual deactivation events. Network segmentation and API gateway protections can help restrict access to sensitive endpoints. Where possible, implement multi-factor authentication (MFA) for all users with elevated privileges to reduce the risk of compromised accounts being used to exploit this vulnerability. Finally, integrate vulnerability scanning and penetration testing focused on authorization controls in the CI/CD pipeline to catch similar issues early.