OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url
Plattform
go
Komponente
openobserve
Behoben in
0.70.4
CVE-2026-39361 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in OpenObserve, a cloud-native observability platform. This flaw allows authenticated attackers to bypass IPv6 address filtering, enabling access to internal services that should be blocked from external access. The vulnerability impacts versions 0.70.0 through 0.70.3 and has been resolved in version 0.70.4.
Erkenne diese CVE in deinem Projekt
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.
Auswirkungen und Angriffsszenarienwird übersetzt…
The SSRF vulnerability in OpenObserve poses a significant risk, particularly in cloud deployments. An attacker who can authenticate to the system can leverage this flaw to reach internal services typically inaccessible from the outside world. Specifically, the vulnerability allows retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. This could lead to complete compromise of the cloud environment. In self-hosted deployments, the attacker can probe internal network services, potentially gaining access to sensitive data or systems. The ability to bypass IPv6 filtering is the core of the exploit, as the Rust url crate handles IPv6 addresses with brackets, which the validation logic fails to account for.
Ausnutzungskontextwird übersetzt…
CVE-2026-39361 was publicly disclosed on 2026-04-07. The vulnerability's impact is amplified by the ease of authentication required to exploit it. While no public proof-of-concept (PoC) has been released at the time of writing, the SSRF nature of the vulnerability and the potential for credential theft make it a high-priority concern. It is not currently listed on CISA KEV, and the EPSS score is pending evaluation.
Wer Ist Gefährdetwird übersetzt…
Organizations utilizing OpenObserve in cloud environments, particularly those relying on AWS, GCP, or Azure for their infrastructure, are at significant risk. Self-hosted deployments are also vulnerable, especially if they expose internal services accessible from the OpenObserve instance. Teams using OpenObserve for sensitive data monitoring should prioritize remediation.
Erkennungsschrittewird übersetzt…
• linux / server:
journalctl -u openobserve -g 'enrichment_url' | grep -i error• generic web:
curl -I <openobserve_url>/api/v1/enrichment_table | grep -i '169.254.169.254'• generic web: Check OpenObserve access logs for requests to internal metadata endpoints (e.g., 169.254.169.254, [::1]).
Angriffszeitlinie
- Disclosure
disclosure
Bedrohungsanalyse
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Niedrig — jedes gültige Benutzerkonto ist ausreichend.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Geändert — Angriff kann über die anfällige Komponente hinaus auf andere Systeme übergreifen.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Keine — kein Integritätseinfluss.
- Availability
- Keine — kein Verfügbarkeitseinfluss.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workaroundswird übersetzt…
The primary mitigation for CVE-2026-39361 is to upgrade OpenObserve to version 0.70.4 or later, which includes the necessary fix for the IPv6 address filtering issue. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to block outbound requests to known internal service endpoints (e.g., 169.254.169.254). Restrict network access to the OpenObserve instance to only authorized users and systems. Monitor network traffic for suspicious outbound requests, particularly those targeting metadata services. After upgrading, confirm the fix by attempting to access an internal service endpoint (e.g., AWS IMDSv1) and verifying that the request is blocked.
So beheben
Aktualisieren Sie auf Version 0.70.4 oder höher, um die Schwachstelle zu beheben. Dieses Update korrigiert die Validierung von Enrichtungs-URLs, wodurch die Verwendung von IPv6-Adressen mit Klammernotation zur Erreichung interner Dienste verhindert wird.
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2026-39361 — SSRF in OpenObserve?
CVE-2026-39361 is a HIGH severity SSRF vulnerability in OpenObserve versions 0.70.0 through 0.70.3, allowing authenticated attackers to access internal services.
Am I affected by CVE-2026-39361 in OpenObserve?
You are affected if you are running OpenObserve versions 0.70.0, 0.70.1, 0.70.2, or 0.70.3. Upgrade to 0.70.4 or later to mitigate the risk.
How do I fix CVE-2026-39361 in OpenObserve?
Upgrade OpenObserve to version 0.70.4 or later. As a temporary workaround, implement a WAF or proxy to block outbound requests to internal service endpoints.
Is CVE-2026-39361 being actively exploited?
While no active exploitation has been publicly confirmed, the SSRF nature of the vulnerability and potential for credential theft make it a high-priority concern.
Where can I find the official OpenObserve advisory for CVE-2026-39361?
Refer to the OpenObserve security advisories page for the latest information and official guidance: [https://www.openobserve.io/security](https://www.openobserve.io/security)
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.