{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39361", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.349Z", "datePublished": "2026-04-07T19:02:12.816Z", "dateUpdated": "2026-04-09T16:17:46.139Z"}, "containers": {"cna": {"title": "OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79"}, {"name": "https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75", "tags": ["x_refsource_MISC"], "url": "https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75"}], "affected": [{"vendor": "openobserve", "product": "openobserve", "versions": [{"version": "<= 0.70.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:02:12.816Z"}, "descriptions": [{"lang": "en", "value": "OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. \"[::1]\" not \"::1\"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services."}], "source": {"advisory": "GHSA-gcwf-3p7h-wm79", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:04:06.578691Z", "id": "CVE-2026-39361", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:17:46.139Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39361", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:04:06.578691Z"}}}], "references": [{"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:04:30.587Z"}}], "cna": {"title": "OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url", "source": {"advisory": "GHSA-gcwf-3p7h-wm79", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openobserve", "product": "openobserve", "versions": [{"status": "affected", "version": "<= 0.70.3"}]}], "references": [{"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "name": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75", "name": "https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. \"[::1]\" not \"::1\"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:02:12.816Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39361", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:17:46.139Z", "dateReserved": "2026-04-06T21:29:17.349Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:02:12.816Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openobserve:openobserve:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F67F4AC-8D23-4A1F-B15B-B7F6C46961AF", "versionEndIncluding": "0.70.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. \"[::1]\" not \"::1\"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services."}], "id": "CVE-2026-39361", "lastModified": "2026-04-14T20:28:05.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:29.837", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.70.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openobserve", "source": "cna", "vendor": "openobserve"}, "product": "openobserve", "vendor": "openobserve"}], "analysis": {"en": {"generated_at": "2026-04-14T22:06:55.229897+00:00", "value": {"mitigation_remediation": ["Upgrade OpenObserve to version 0.70.4 or later to apply the vendor\u2011supplied SSRF fix.", "If an upgrade is not immediately possible, disable or restrict the enrichment URL feature so that no external or user\u2011supplied URLs can be validated.", "Review internal network access controls to ensure that cloud metadata endpoints and other sensitive services are not reachable from the OpenObserve context or from authenticated users who should not have such access."], "summary": {"action": "Patch Now", "impact": "SSRF enabling internal network access and cloud metadata theft"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to all OpenObserve installations running version 0.70.3 or earlier. Any deployment using the OpenObserve platform that has not upgraded beyond 0.70.3 is affected, specifically the validate_enrichment_url function in the enrichment table request handler.", "description_and_impact": "OpenObserve\u2019s enrichment table validator incorrectly accepts IPv6 addresses written with surrounding brackets. This flaw bypasses the built\u2011in SSRF protection, allowing an authenticated user to supply a URL that resolves to an internal IP. By doing so, the attacker can reach services that are otherwise blocked from external access, including cloud provider metadata endpoints such as AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS, which can expose credentials and other sensitive data.", "risk_and_exploitability": "The CVSS score of 7.7 places the flaw in the high severity range, yet the EPSS score is below 1%, indicating a low probability of widespread exploitation. The risk is amplified when cloud metadata endpoints are reachable from the OpenObserve instance, and the flaw requires authenticated access to create or modify enrichment URLs, limiting the attack surface compared to publicly exploitable SSRF variants. The flaw is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-08T19:34:51.074390+00:00", "updated": "2026-04-15T16:15:11.972543+00:00", "vendors": ["openobserve", "openobserve$PRODUCT$openobserve"]}