CVE-2025-66223
BaseFortify
Publication date: 2025-11-29
Last updated on: 2025-11-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openobserve | openobserve | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenObserve versions prior to 0.16.0 involves organization invitation tokens that do not expire once issued. These tokens remain valid even after the invited user is removed from the organization. Additionally, multiple invitations can be sent to the same email with different roles, and all issued links remain valid simultaneously. This leads to broken access control, allowing removed or demoted users to regain access or escalate their privileges.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized access to your organizationβs OpenObserve platform. Removed or demoted users could regain access or escalate their privileges, potentially leading to unauthorized data access, manipulation, or other security breaches within your observability environment.
What immediate steps should I take to mitigate this vulnerability?
Upgrade OpenObserve to version 0.16.0 or later, where the issue with organization invitation tokens has been patched to expire properly and prevent unauthorized access or privilege escalation.