OpenObserve SSRF via Improper IPv6 Validation

OpenObserve, a cloud-native observability platform, contains a server-side request forgery (SSRF) vulnerability (CVE-2026-39361) in versions 0.70.3 and earlier. The vulnerability resides in the validate_enrichment_url function within src/handler/http/request/enrichment_table/mod.rs. This function fails to properly block IPv6 addresses due to the Rust’s url crate returning IPv6 addresses with surrounding brackets (e.g., “[::1]”) instead of without. This allows an authenticated attacker to bypass intended restrictions and access internal services that are normally blocked from external access. Successful exploitation can lead to the retrieval of sensitive IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS on cloud deployments, and probing of internal network services on self-hosted deployments.

Attack Chain

1. An authenticated attacker identifies the validate_enrichment_url function as a potential SSRF target.
2. The attacker crafts a malicious URL containing an IPv6 address with surrounding brackets (e.g., http://[::1]).
3. The attacker submits a request to the OpenObserve server, providing the malicious URL to the validate_enrichment_url function.
4. The validate_enrichment_url function fails to properly validate the IPv6 address due to the brackets.
5. The OpenObserve server initiates a request to the attacker-specified IPv6 address, bypassing intended access restrictions.
6. In a cloud environment, the attacker targets the AWS IMDSv1 endpoint (169.254.169.254) to retrieve IAM credentials.
7. The OpenObserve server retrieves the IAM credentials from the IMDSv1 endpoint and returns them to the attacker.
8. The attacker uses the stolen IAM credentials to gain unauthorized access to cloud resources.

Impact

Successful exploitation of this SSRF vulnerability can lead to significant consequences, especially in cloud deployments. An attacker can retrieve sensitive IAM credentials from cloud metadata services like AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. These stolen credentials can then be used to gain unauthorized access to critical cloud resources, potentially leading to data breaches, service disruption, and financial losses. The vulnerability affects OpenObserve instances version 0.70.3 and earlier. The number of affected organizations is currently unknown, but any organization using a vulnerable version of OpenObserve is at risk.

Recommendation

• Upgrade OpenObserve to a version greater than 0.70.3 to patch CVE-2026-39361.
• Monitor network connections originating from OpenObserve servers to internal IP addresses such as 169.254.169.254 using the provided Sigma rule to detect potential SSRF attempts.
• Implement network segmentation and access controls to limit the impact of a successful SSRF attack, restricting access from OpenObserve servers to sensitive internal services.
• Consider disabling IMDSv1 and migrating to IMDSv2 on AWS EC2 instances to mitigate the risk of IAM credential theft.