How I Found a User That Couldn’t Be Removed From an Organization

Hi, I'm Ahmed Mahmoud, a penetration tester and bug bounty hunter.

While testing an organization's member management feature, I found an interesting bug that allowed a user to stay inside an organization even after the owner tried to remove them.

The issue was caused by the way the application handled certain email addresses, which led to a failure in the member removal process.

Let's see how it worked.

Overview of the Vulnerability:

The application allows organization owners to invite users by email.

During testing, I discovered that if a user joined using a specially formatted email address, the owner could no longer remove that user from the organization.

The member appeared normally in the members list, but every removal attempt failed and the account continued to have access.

Scenario:

I was testing the invitation functionality and wanted to see how the application handled unusual email formats.

I sent an invitation using an email address that contained encoded characters.

The invitation worked successfully and the user joined the organization without any issues.

However, when the organization owner tried to remove the member, the application returned an error and the user remained inside the organization.

Even after refreshing the page and trying again, the account could not be removed.

Steps To Reproduce:

1. Create an organization.

2. Invite a user using an email address containing encoded characters, for example:

user%3ch1%3eahmed%3c%2fh1%3e@example.com

user%3ch1%3eahmed%3c%2fh1%3e@example.com

3. Accept the invitation, verify that the user appears in the organization's members list.

4. As the organization owner or admin, navigate to the Members page

5. Attempt to remove the affected user.

6. Observe that the application returns an error message and the removal operation fails

7. Log in as the affected account and confirm that access to the organization still exists.

Impact:

1. Persistent unauthorized membership: A member can remain associated with an organization after the owner attempts to remove them.
2. Access revocation failure: Organization administrators cannot reliably revoke access.
3. Organization management disruption: Membership management becomes unreliable.
4. Potential privilege abuse: The affected account may continue to access organization resources after revocation attempts.
5. Security control bypass: Administrative access-control actions fail due to inconsistent identifier handling.

Final Thoughts

This finding is a good reminder that security issues are not always hidden behind complex exploits.

Sometimes, testing unusual inputs and edge cases can reveal vulnerabilities that directly impact access control.

What started as a simple email test eventually led to a user account that owners couldn't remove.

Thanks for reading! 🚀

Ahmed Mahmoud Penetration Tester & Bug Bounty Hunter