{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39361", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.349Z", "datePublished": "2026-04-07T19:02:12.816Z", "dateUpdated": "2026-04-09T16:17:46.139Z"}, "containers": {"cna": {"title": "OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79"}, {"name": "https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75", "tags": ["x_refsource_MISC"], "url": "https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75"}], "affected": [{"vendor": "openobserve", "product": "openobserve", "versions": [{"version": "<= 0.70.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:02:12.816Z"}, "descriptions": [{"lang": "en", "value": "OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. \"[::1]\" not \"::1\"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services."}], "source": {"advisory": "GHSA-gcwf-3p7h-wm79", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:04:06.578691Z", "id": "CVE-2026-39361", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:17:46.139Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39361", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:04:06.578691Z"}}}], "references": [{"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:04:30.587Z"}}], "cna": {"title": "OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url", "source": {"advisory": "GHSA-gcwf-3p7h-wm79", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openobserve", "product": "openobserve", "versions": [{"status": "affected", "version": "<= 0.70.3"}]}], "references": [{"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75", "name": "https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. \"[::1]\" not \"::1\"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:02:12.816Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39361", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:17:46.139Z", "dateReserved": "2026-04-06T21:29:17.349Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:02:12.816Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. \"[::1]\" not \"::1\"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services."}], "id": "CVE-2026-39361", "lastModified": "2026-04-09T17:16:28.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:29.837", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75"}, {"source": "security-advisories@github.com", "url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.70.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openobserve", "source": "cna", "vendor": "openobserve"}, "product": "openobserve", "vendor": "openobserve"}], "analysis": {"en": {"generated_at": "2026-04-07T22:23:02.880105+00:00", "value": {"mitigation_remediation": ["Apply the latest OpenObserve release (>=0.70.4) or any patch that fixes the SSRF validation", "Ensure that users have the minimum required permissions, restricting authentication where possible", "If upgrading immediately is not possible, monitor for connectivity from the application to external IP addresses and deny unintended outbound requests", "Verify that IPv6 addresses in URL inputs are properly sanitized or blocked in your environment"], "summary": {"action": "Patch Immediately", "impact": "Internal Data Exposure via SSRF"}, "threat_synthesis": {"affected_systems": "OpenObserve platforms running version 0.70.3 or earlier are affected. Clients using the cloud\u2011hosted service can reach metadata endpoints on AWS, GCP, or Azure, while self\u2011hosted installations may probe internal network services. Any user with authentication privileges to the OpenObserve instance can exploit the issue.", "description_and_impact": "The vulnerability stems from a flaw in OpenObserve\u2019s enrichment URL validation, which fails to block IPv6 addresses represented in bracket notation, such as \"[::1]\". This oversight falls under CWE\u2011918\u00a0\u2013\u00a0Server\u2011Side Request Forgery. By submitting such URLs, an attacker can force the server to request resources from locations that are normally inaccessible from the external network, thereby enabling the retrieval of sensitive internal data and potentially authentication credentials.", "risk_and_exploitability": "The reported CVSS score of 7.7 indicates high severity, and while no EPSS score is available and the vulnerability is not listed in the KEV catalog, the attack requires authenticated access, making the exploitable target limited to existing users. Once achievable, the SSRF allows attackers to read internal service responses, potentially leaking IAM credentials and other sensitive information."}}}}, "created": "2026-04-08T19:34:51.074390+00:00", "updated": "2026-04-08T19:46:29.186374+00:00", "vendors": ["openobserve", "openobserve$PRODUCT$openobserve"]}