CVE-2025-55795 is a vulnerability identified in the openml/openml.org web application, specifically version v2.0.20241110. The core issue arises from the use of incremental user IDs combined with insufficient verification of email ownership during the email update process. An authenticated attacker who controls a user account with a lower user ID can exploit this flaw by updating their email address to that of another user with a higher user ID without undergoing proper ownership verification. This manipulation results in the victim's email address being reassigned to the attacker's account. Consequently, the legitimate user is immediately locked out of their account and unable to log in, effectively causing a denial of service (DoS) condition. Importantly, this vulnerability does not allow the attacker to access the victim's private data directly; it primarily disrupts account availability and user access. The vulnerability is linked to CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS v3.1 score is 3.5, indicating a low severity level, with the vector highlighting network attack vector (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), scope changed (S:C), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). However, the description notes a denial of service via account lockout, which may not be fully captured in the CVSS availability metric. No known exploits are reported in the wild, and no patches or fixes are currently linked to this vulnerability. The vulnerability's exploitation requires authentication but no user interaction, and the attack complexity is high, likely due to the need to control a lower user ID account and manipulate the email update process precisely.

For European organizations using the openml/openml.org platform, this vulnerability poses a risk primarily to user account availability and operational continuity. The denial of service effect—locking out legitimate users by reassigning their email addresses—can disrupt research workflows, collaboration, and data sharing activities dependent on the platform. Although no direct data breach or confidentiality compromise occurs, the inability of users to access their accounts can lead to productivity losses, user frustration, and potential reputational damage if the platform is critical to organizational operations. In environments where user identity and email address integrity are crucial for communication and authentication, this vulnerability undermines trust in the platform's security. Additionally, the exploitation could be used as a targeted harassment or sabotage tool against specific users or teams within European research institutions or companies relying on openml.org. Given that the attack requires authentication and control of a lower user ID account, insider threats or compromised accounts pose a higher risk. The impact is somewhat mitigated by the high attack complexity and the lack of direct data exposure, but organizations should still consider the operational risks and user support challenges stemming from account lockouts.

To mitigate CVE-2025-55795 effectively, organizations and the openml.org platform administrators should implement robust email ownership verification mechanisms during email update workflows. This includes requiring confirmation via the existing email address or sending verification links to the new email address before applying changes. Additionally, the platform should avoid relying on incremental user IDs for authorization decisions; instead, implement strict access control checks that validate user identity independently of user ID ordering. Monitoring and alerting for unusual email change activities, especially those involving email addresses already associated with other accounts, can help detect exploitation attempts early. Organizations should enforce strong authentication and account security policies to reduce the risk of attackers gaining control of lower user ID accounts. User education about suspicious account activities and prompt reporting mechanisms will also aid in early detection. Finally, platform developers should prioritize releasing patches that address this vulnerability and communicate updates clearly to users and administrators.