It was discovered that in the ovirt REST API, RemoveDiskCommand is triggered as an internal command, meaning the permission validation that should be performed against the calling user is skipped. A user with low privileges (eg Basic Operations) could exploit this flaw to delete disks attached to guests.
(In reply to Doran Moppert from comment #2)
> Upstream fix:
$ git tag --contains b6840a6c6221470c31e5f4d9f718239a9d44149d
This issue was addressed in the following erratum for Red Hat Virtualization 4.2: