Description

OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.

INFO

Published Date :

2026-04-07T19:02:12.816Z

Last Modified :

2026-04-09T16:17:46.139Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39361 vulnerability.

Vendors Products
Openobserve
  • Openobserve
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39361.

URL Resource
https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75 cve-icon cve-icon
https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact