CVE-2026-39361
Received Received - Intake
IPv6 Bypass in OpenObserve Enables Internal Service Access

Publication date: 2026-04-07

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39361
EUVD
EUVD-2026-19869
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openobserve openobserve to 0.70.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated attackers to bypass URL validation and access internal network services or cloud metadata endpoints, potentially exposing sensitive data such as cloud IAM credentials or internal service information.

Exposure of sensitive data, including credentials and internal service information, could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive and personal data.

By enabling unauthorized access to internal resources and sensitive information, this vulnerability increases the risk of data breaches and unauthorized data disclosure, which are critical compliance concerns under these standards.

Executive Summary

CVE-2026-39361 is a Server-Side Request Forgery (SSRF) vulnerability in the OpenObserve observability platform (version 0.70.3 and earlier). The issue arises because the function validate_enrichment_url fails to properly block IPv6 addresses due to the way Rust's url crate returns IPv6 addresses with surrounding brackets (e.g., "[::1]") while the validation logic incorrectly compares them without brackets (e.g., "::1").

This flaw allows an authenticated attacker to bypass checks that are meant to block access to internal or private IP addresses. As a result, the attacker can make the server send requests to internal services that should be inaccessible externally, including cloud metadata services like AWS IMDSv1, GCP metadata, or Azure IMDS, potentially exposing sensitive credentials or internal network information.

Impact Analysis

This vulnerability can have serious impacts by allowing an authenticated attacker to access internal network services or cloud metadata endpoints that are normally protected from external access.

  • Exposure of sensitive cloud IAM credentials via AWS IMDSv1, GCP metadata, or Azure IMDS.
  • Unauthorized probing and access to internal network services on self-hosted deployments.
  • Potential compromise of confidentiality due to leakage of sensitive internal or cloud service information.
Detection Guidance

This vulnerability can be detected by monitoring enrichment URL requests sent to the OpenObserve API for suspicious IPv6 bracketed addresses that bypass validation, such as URLs containing hosts like "[::1]", "[::ffff:127.0.0.1]", or other private/internal IP addresses enclosed in brackets.

Detection can involve inspecting logs or network traffic for enrichment URL requests that include IPv6 addresses with brackets, especially those targeting internal or cloud metadata IPs (e.g., 169.254.169.254).

Suggested commands to detect such activity include:

  • Using grep or similar tools on logs to find bracketed IPv6 addresses in enrichment URLs, e.g.:
  • grep -E '\[::[0-9a-fA-F:]+\]' /path/to/openobserve/logs/*
  • Using network packet capture tools like tcpdump or Wireshark to filter HTTP requests containing bracketed IPv6 addresses:
  • tcpdump -A -s 0 'tcp port 80 and (((ip6[40] = 0x47) and (ip6[41] = 0x45)) or (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420))' | grep '\[::'
  • Review enrichment URL parameters in API requests for hosts that include brackets and map to internal IP ranges or cloud metadata IPs.
Mitigation Strategies

Immediate mitigation steps include updating OpenObserve to a version that includes the fix for CVE-2026-39361, which properly strips brackets from IPv6 addresses and blocks access to localhost, private, link-local, and cloud metadata IP addresses.

If an immediate update is not possible, consider implementing network-level controls to block outbound requests from OpenObserve to internal IP ranges and cloud metadata IP addresses such as 169.254.169.254.

Additionally, restrict authenticated users' ability to submit enrichment URLs or validate and sanitize enrichment URL inputs to prevent bracketed IPv6 addresses from bypassing validation.

Monitoring and alerting on suspicious enrichment URL requests containing bracketed IPv6 addresses can also help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39361. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart