CVE-2024-30896 is a critical security vulnerability affecting InfluxDB OSS versions 2.x through 2.7.11. The core issue is that the administrative operator token, which grants full administrative privileges, is stored under the default organization. Users who have authorized read access to the authorization resource of this default organization can retrieve this operator token. This token exposure allows an attacker with such access to impersonate the administrative operator, leading to complete control over the InfluxDB instance. The vulnerability stems from the design where allAccess administrators can list all raw tokens using the "influx auth ls" command, exposing sensitive tokens. The vendor states that this behavior is by design to support organizational separation and recommends assigning users to non-default organizations to reduce risk. However, this design choice creates a significant attack surface if default organization access is not tightly controlled. The issue is not present in InfluxDB OSS 1.x, Enterprise, Cloud, Cloud Dedicated, or Clustered editions, limiting the scope to OSS 2.x versions up to 2.7.11. The vendor has fixed this vulnerability in InfluxDB 2.8.0 by removing the ability to retrieve tokens via the API, effectively closing this attack vector. The vulnerability is tracked under CWE-922 (Improper Restriction of Operations within the Bounds of a Memory Buffer), reflecting improper access control. The CVSS v3.1 base score is 9.1, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and complete compromise of confidentiality, integrity, and availability. No public exploits have been reported yet, but the critical nature of the flaw and the ease of exploitation by authorized users make it a significant risk.

For European organizations using InfluxDB OSS 2.x through 2.7.11, this vulnerability poses a severe risk of administrative account compromise. An attacker with read access to the authorization resource of the default organization can retrieve the operator token and gain full control over the database. This can lead to unauthorized data access, data manipulation, or deletion, severely impacting data confidentiality, integrity, and availability. Organizations relying on InfluxDB for critical monitoring, logging, or time-series data could face operational disruptions, compliance violations (e.g., GDPR breaches), and reputational damage. Since the vulnerability requires authorized read access, insider threats or compromised accounts are primary risk vectors. The vulnerability does not affect cloud or enterprise versions, which may reduce exposure for organizations using those editions. However, many European SMEs and tech companies use the OSS version, increasing the potential impact. The critical CVSS score underscores the need for urgent remediation to prevent exploitation and protect sensitive operational data.

European organizations should immediately upgrade InfluxDB OSS installations to version 2.8.0 or later, where this vulnerability is fixed by removing token retrieval via the API. Until upgrade, restrict read access to the authorization resource of the default organization to only the most trusted administrators. Implement strict access controls and audit logging to monitor any access to authorization resources. Consider reorganizing users into non-default organizations to limit exposure of the operator token. Employ network segmentation and firewall rules to limit access to InfluxDB management interfaces. Regularly review and rotate administrative tokens and credentials to reduce the window of exposure. Conduct internal security awareness training to highlight the risks of token exposure and the importance of least privilege principles. Finally, monitor vendor advisories for any additional patches or mitigations and test upgrades in controlled environments before deployment.