Platform
go
Component
openobserve
Fixed in
0.70.4
CVE-2026-39361 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in OpenObserve, a cloud-native observability platform. This flaw allows authenticated attackers to bypass IPv6 address filtering, enabling access to internal services that should be blocked from external access. The vulnerability impacts versions 0.70.0 through 0.70.3 and has been resolved in version 0.70.4.
The SSRF vulnerability in OpenObserve poses a significant risk, particularly in cloud deployments. An attacker who can authenticate to the system can leverage this flaw to reach internal services typically inaccessible from the outside world. Specifically, the vulnerability allows retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. This could lead to complete compromise of the cloud environment. In self-hosted deployments, the attacker can probe internal network services, potentially gaining access to sensitive data or systems. The ability to bypass IPv6 filtering is the core of the exploit, as the Rust url crate handles IPv6 addresses with brackets, which the validation logic fails to account for.
CVE-2026-39361 was publicly disclosed on 2026-04-07. The vulnerability's impact is amplified by the ease of authentication required to exploit it. While no public proof-of-concept (PoC) has been released at the time of writing, the SSRF nature of the vulnerability and the potential for credential theft make it a high-priority concern. It is not currently listed on CISA KEV, and the EPSS score is pending evaluation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39361 is to upgrade OpenObserve to version 0.70.4 or later, which includes the necessary fix for the IPv6 address filtering issue. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to block outbound requests to known internal service endpoints (e.g., 169.254.169.254). Restrict network access to the OpenObserve instance to only authorized users and systems. Monitor network traffic for suspicious outbound requests, particularly those targeting metadata services. After upgrading, confirm the fix by attempting to access an internal service endpoint (e.g., AWS IMDSv1) and verifying that the request is blocked.
Update to version 0.70.4 or later to mitigate the vulnerability. This update corrects the enrichment URL validation, preventing IPv6 addresses with bracket notation from being exploited to access internal services.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39361 is a HIGH severity SSRF vulnerability in OpenObserve versions 0.70.0 through 0.70.3, allowing authenticated attackers to access internal services.
You are affected if you are running OpenObserve versions 0.70.0, 0.70.1, 0.70.2, or 0.70.3. Upgrade to 0.70.4 or later to mitigate the risk.
Upgrade OpenObserve to version 0.70.4 or later. As a temporary workaround, implement a WAF or proxy to block outbound requests to internal service endpoints.
While no active exploitation has been publicly confirmed, the SSRF nature of the vulnerability and potential for credential theft make it a high-priority concern.
Refer to the OpenObserve security advisories page for the latest information and official guidance: [https://www.openobserve.io/security](https://www.openobserve.io/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.