{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/openobserve/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-39361"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ssrf","openobserve","cloud","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenObserve, a cloud-native observability platform, contains a server-side request forgery (SSRF) vulnerability (CVE-2026-39361) in versions 0.70.3 and earlier. The vulnerability resides in the \u003ccode\u003evalidate_enrichment_url\u003c/code\u003e function within \u003ccode\u003esrc/handler/http/request/enrichment_table/mod.rs\u003c/code\u003e. This function fails to properly block IPv6 addresses due to the Rust\u0026rsquo;s \u003ccode\u003eurl\u003c/code\u003e crate returning IPv6 addresses with surrounding brackets (e.g., \u0026ldquo;[::1]\u0026rdquo;) instead of without. This allows an authenticated attacker to bypass intended restrictions and access internal services that are normally blocked from external access. Successful exploitation can lead to the retrieval of sensitive IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS on cloud deployments, and probing of internal network services on self-hosted deployments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker identifies the \u003ccode\u003evalidate_enrichment_url\u003c/code\u003e function as a potential SSRF target.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing an IPv6 address with surrounding brackets (e.g., \u003ccode\u003ehttp://[::1]\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker submits a request to the OpenObserve server, providing the malicious URL to the \u003ccode\u003evalidate_enrichment_url\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003evalidate_enrichment_url\u003c/code\u003e function fails to properly validate the IPv6 address due to the brackets.\u003c/li\u003e\n\u003cli\u003eThe OpenObserve server initiates a request to the attacker-specified IPv6 address, bypassing intended access restrictions.\u003c/li\u003e\n\u003cli\u003eIn a cloud environment, the attacker targets the AWS IMDSv1 endpoint (169.254.169.254) to retrieve IAM credentials.\u003c/li\u003e\n\u003cli\u003eThe OpenObserve server retrieves the IAM credentials from the IMDSv1 endpoint and returns them to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen IAM credentials to gain unauthorized access to cloud resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability can lead to significant consequences, especially in cloud deployments. An attacker can retrieve sensitive IAM credentials from cloud metadata services like AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. These stolen credentials can then be used to gain unauthorized access to critical cloud resources, potentially leading to data breaches, service disruption, and financial losses. The vulnerability affects OpenObserve instances version 0.70.3 and earlier. The number of affected organizations is currently unknown, but any organization using a vulnerable version of OpenObserve is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenObserve to a version greater than 0.70.3 to patch CVE-2026-39361.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from OpenObserve servers to internal IP addresses such as 169.254.169.254 using the provided Sigma rule to detect potential SSRF attempts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit the impact of a successful SSRF attack, restricting access from OpenObserve servers to sensitive internal services.\u003c/li\u003e\n\u003cli\u003eConsider disabling IMDSv1 and migrating to IMDSv2 on AWS EC2 instances to mitigate the risk of IAM credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T20:16:29Z","date_published":"2026-04-07T20:16:29Z","id":"/briefs/2024-01-30-openobserve-ssrf/","summary":"OpenObserve versions 0.70.3 and earlier are vulnerable to a server-side request forgery (SSRF) attack due to improper validation of IPv6 addresses in the validate_enrichment_url function, potentially allowing authenticated attackers to access internal services and retrieve sensitive cloud metadata.","title":"OpenObserve SSRF via Improper IPv6 Validation","url":"https://feed.craftedsignal.io/briefs/2024-01-30-openobserve-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Openobserve","version":"https://jsonfeed.org/version/1.1"}