Due to improper ACLs it was found possible to escalate privileges from a guest user to admin.
As first step the guest user adds itself to the bot group that holds the manage-own-integrations permission. With this permission it is possible to create a custom Integration with a script that, if triggered, adds the user to the admin group.
The insertOrUpdateUser method improperly validates a users permissions to change its groups. Because an explicit check prevents from adding itself to the admin group directly, the privileges of the bot group need to be used to.
https://hackerone.com/reports/501081