The vulnerability in SolarWinds Observability Self‑Hosted allows an attacker to supply a crafted external URL that the application can redirect a user to an unintended website. This flaw can be leveraged to facilitate phishing attacks or drive traffic to malicious sites, compromising user trust and potentially exposing them to further exploits. The weakness is a classic open redirect, identified as CWE‑601, and primarily impacts the confidentiality of users’ browsing context.

The affected product is SolarWinds Observability Self‑Hosted. All deployments prior to the 2026.2 release are potentially impacted, as the vendor recommends upgrading to this version to eliminate the redirect issue. There are no specific sub‑versions listed in the advisory, so any earlier 2026‑series build should be considered vulnerable until the patch is applied.

The CVSS score of 4.8 places the flaw in the moderate range, indicating that while the impact is not catastrophic, it is still noteworthy. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that the attack vector is remote via the web application interface, requiring an attacker to trigger the redirect condition by supplying a malicious URL within the UI. Successful exploitation would rely on the user interacting with the redirected link, making it a user‑initiated phishing risk rather than an automated zero‑day type.