7.7
CVE-2026-39361
- EPSS 0.27%
- Veröffentlicht 07.04.2026 19:02:12
- Zuletzt bearbeitet 14.04.2026 20:28:05
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url
OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Openobserve ≫ Openobserve Version <= 0.70.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.27% | 0.177 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.7 | 3.1 | 4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79
https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75