CVE-2026-39361
IPv6 Bypass in OpenObserve Enables Internal Service Access
Publication date: 2026-04-07
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openobserve | openobserve | to 0.70.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers to bypass URL validation and access internal network services or cloud metadata endpoints, potentially exposing sensitive data such as cloud IAM credentials or internal service information.
Exposure of sensitive data, including credentials and internal service information, could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive and personal data.
By enabling unauthorized access to internal resources and sensitive information, this vulnerability increases the risk of data breaches and unauthorized data disclosure, which are critical compliance concerns under these standards.
Can you explain this vulnerability to me?
CVE-2026-39361 is a Server-Side Request Forgery (SSRF) vulnerability in the OpenObserve observability platform (version 0.70.3 and earlier). The issue arises because the function validate_enrichment_url fails to properly block IPv6 addresses due to the way Rust's url crate returns IPv6 addresses with surrounding brackets (e.g., "[::1]") while the validation logic incorrectly compares them without brackets (e.g., "::1").
This flaw allows an authenticated attacker to bypass checks that are meant to block access to internal or private IP addresses. As a result, the attacker can make the server send requests to internal services that should be inaccessible externally, including cloud metadata services like AWS IMDSv1, GCP metadata, or Azure IMDS, potentially exposing sensitive credentials or internal network information.
How can this vulnerability impact me? :
This vulnerability can have serious impacts by allowing an authenticated attacker to access internal network services or cloud metadata endpoints that are normally protected from external access.
- Exposure of sensitive cloud IAM credentials via AWS IMDSv1, GCP metadata, or Azure IMDS.
- Unauthorized probing and access to internal network services on self-hosted deployments.
- Potential compromise of confidentiality due to leakage of sensitive internal or cloud service information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring enrichment URL requests sent to the OpenObserve API for suspicious IPv6 bracketed addresses that bypass validation, such as URLs containing hosts like "[::1]", "[::ffff:127.0.0.1]", or other private/internal IP addresses enclosed in brackets.
Detection can involve inspecting logs or network traffic for enrichment URL requests that include IPv6 addresses with brackets, especially those targeting internal or cloud metadata IPs (e.g., 169.254.169.254).
Suggested commands to detect such activity include:
- Using grep or similar tools on logs to find bracketed IPv6 addresses in enrichment URLs, e.g.:
- grep -E '\[::[0-9a-fA-F:]+\]' /path/to/openobserve/logs/*
- Using network packet capture tools like tcpdump or Wireshark to filter HTTP requests containing bracketed IPv6 addresses:
- tcpdump -A -s 0 'tcp port 80 and (((ip6[40] = 0x47) and (ip6[41] = 0x45)) or (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420))' | grep '\[::'
- Review enrichment URL parameters in API requests for hosts that include brackets and map to internal IP ranges or cloud metadata IPs.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating OpenObserve to a version that includes the fix for CVE-2026-39361, which properly strips brackets from IPv6 addresses and blocks access to localhost, private, link-local, and cloud metadata IP addresses.
If an immediate update is not possible, consider implementing network-level controls to block outbound requests from OpenObserve to internal IP ranges and cloud metadata IP addresses such as 169.254.169.254.
Additionally, restrict authenticated users' ability to submit enrichment URLs or validate and sanitize enrichment URL inputs to prevent bracketed IPv6 addresses from bypassing validation.
Monitoring and alerting on suspicious enrichment URL requests containing bracketed IPv6 addresses can also help detect exploitation attempts.