The vulnerability arises from an incorrect privilege assignment mechanism within the zenml user management system. Specifically, it allows authenticated users to modify their account details to flag their account as a 'service account' through a crafted HTTP PUT request. This flaw effectively grants regular users the ability to elevate their privileges within the system, bypassing intended security controls and gaining unauthorized access to functionalities or data reserved for service accounts.

An attacker, after gaining access to the system as a regular user, crafts a malicious HTTP PUT request targeting the '/api/v1/current-user' endpoint. This request includes parameters to change the user's password and set the 'is_service_account' flag to true. Upon successful execution, the attacker's user account is elevated to a service account, granting them higher privileges and access rights within the application.

All users of zenml-io/zenml versions 0.56.3 and below are affected by this vulnerability. Specifically, systems where regular users can access and send crafted requests to the application's backend are at risk of unauthorized privilege escalation.