CVE-2026-39361
OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url
CVSS Score
7.7
EPSS Score
0.0%
EPSS Percentile
8th
OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.
| CWE | CWE-918 |
| Vendor | openobserve |
| Product | openobserve |
| Published | Apr 7, 2026 |
| Last Updated | Apr 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for openobserve openobserve
Be the first to know when new high vulnerabilities affecting openobserve openobserve are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
openobserve / openobserve
<= 0.70.3