Skip to main content

Microsoft CVE-2026-39361

| EUVDEUVD-2026-19869 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-07 GitHub_M
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19869
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:02 nvd
HIGH 7.7

DescriptionGitHub Advisory

OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.

AnalysisAI

Server-Side Request Forgery (SSRF) in OpenObserve up to 0.70.3 allows authenticated attackers to bypass IPv6 address validation and access internal network resources, including cloud metadata services. The vulnerability enables retrieval of AWS IMDSv1 credentials at 169.254.169.254, GCP metadata endpoints, and Azure IMDS on cloud deployments, or probing of internal services in self-hosted environments. CVSS score of 7.7 reflects high confidentiality impact with changed scope. No public exploit identified at time of analysis, though exploitation requires only low-complexity authenticated network access.

Technical ContextAI

The vulnerability resides in OpenObserve's enrichment table URL validation function (validate_enrichment_url in src/handler/http/request/enrichment_table/mod.rs). The flaw stems from improper handling of IPv6 addresses parsed by Rust's url crate, which returns IPv6 literals with surrounding brackets (e.g., '[::1]' for localhost instead of '::1'). This formatting discrepancy causes the validation logic to fail in recognizing and blocking IPv6-based internal addresses. The root cause is classified as CWE-918 (Server-Side Request Forgery), where insufficient validation of user-supplied URLs allows attackers to force the application to make requests to arbitrary destinations. This is particularly dangerous in cloud environments where Instance Metadata Service (IMDS) endpoints use link-local IPv4 addresses (169.254.169.254) that may also be accessible via IPv6 equivalent addresses, or where internal IPv6 infrastructure exists. OpenObserve is a cloud-native observability platform handling telemetry data, making its access to internal networks and cloud APIs especially sensitive.

RemediationAI

Upgrade immediately to a patched version of OpenObserve newer than 0.70.3. Upstream fix available via commit d1a5d8f65b432e2e82f83231390dec7f107e8d75 at https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75, which corrects the IPv6 address parsing logic in the URL validation function. Until patching is complete, implement defense-in-depth measures: restrict network egress from OpenObserve instances using firewall rules to block access to 169.254.169.254 and internal IPv6 ranges, enforce AWS IMDSv2 (requiring token-based authentication) if running on AWS, disable cloud metadata endpoints if not required by the application, and audit authenticated user access to limit the attack surface. Review authentication logs for any suspicious enrichment table URL submissions attempting to access internal addresses. Consult the GitHub security advisory at https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79 for additional vendor guidance.

Share

CVE-2026-39361 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy