EUVD-2026-19869CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3Description
OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.
Analysis
Server-Side Request Forgery (SSRF) in OpenObserve up to 0.70.3 allows authenticated attackers to bypass IPv6 address validation and access internal network resources, including cloud metadata services. The vulnerability enables retrieval of AWS IMDSv1 credentials at 169.254.169.254, GCP metadata endpoints, and Azure IMDS on cloud deployments, or probing of internal services in self-hosted environments. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all OpenObserve deployments and identify current versions; disable or restrict access to OpenObserve for non-essential users pending remediation. Within 7 days: Upgrade to OpenObserve 0.70.4 or later once released by vendor; if unavailable, implement network segmentation to prevent OpenObserve server access to 169.254.169.254 and internal metadata services via firewall rules. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today