Description
OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.
Published: 2026-04-07
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SSRF enabling internal network access and cloud metadata theft
Action: Patch Now
AI Analysis

Impact

OpenObserve’s enrichment table validator incorrectly accepts IPv6 addresses written with surrounding brackets. This flaw bypasses the built‑in SSRF protection, allowing an authenticated user to supply a URL that resolves to an internal IP. By doing so, the attacker can reach services that are otherwise blocked from external access, including cloud provider metadata endpoints such as AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS, which can expose credentials and other sensitive data.

Affected Systems

The vulnerability applies to all OpenObserve installations running version 0.70.3 or earlier. Any deployment using the OpenObserve platform that has not upgraded beyond 0.70.3 is affected, specifically the validate_enrichment_url function in the enrichment table request handler.

Risk and Exploitability

The CVSS score of 7.7 places the flaw in the high severity range, yet the EPSS score is below 1%, indicating a low probability of widespread exploitation. The risk is amplified when cloud metadata endpoints are reachable from the OpenObserve instance, and the flaw requires authenticated access to create or modify enrichment URLs, limiting the attack surface compared to publicly exploitable SSRF variants. The flaw is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 14, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenObserve to version 0.70.4 or later to apply the vendor‑supplied SSRF fix.
  • If an upgrade is not immediately possible, disable or restrict the enrichment URL feature so that no external or user‑supplied URLs can be validated.
  • Review internal network access controls to ensure that cloud metadata endpoints and other sensitive services are not reachable from the OpenObserve context or from authenticated users who should not have such access.

Generated by OpenCVE AI on April 14, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openobserve:openobserve:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Openobserve
Openobserve openobserve
Vendors & Products Openobserve
Openobserve openobserve

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.
Title OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Openobserve Openobserve
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:17:46.139Z

Reserved: 2026-04-06T21:29:17.349Z

Link: CVE-2026-39361

cve-icon Vulnrichment

Updated: 2026-04-09T15:04:30.587Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:29.837

Modified: 2026-04-14T20:28:05.760

Link: CVE-2026-39361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses