CVE-2025-66223
📋 TL;DR
OpenObserve versions before 0.16.0 have an access control vulnerability where organization invitation tokens never expire, remain valid after user removal, and allow multiple active invitations. This allows removed or demoted users to regain access or escalate privileges. Organizations using OpenObserve for observability are affected.
💻 Affected Systems
- OpenObserve
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
A malicious former user could regain administrative access to the observability platform, potentially accessing sensitive telemetry data, modifying configurations, or disrupting monitoring operations.
Likely Case
A former employee or contractor uses an old invitation link to regain access to organizational data they should no longer have access to, potentially violating data privacy policies.
If Mitigated
With proper monitoring and user lifecycle management, unauthorized access attempts would be detected and logged, limiting damage to potential data exposure.
🎯 Exploit Status
Exploitation requires possession of an invitation token, which could be obtained through legitimate means before user removal or through social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.16.0
Vendor Advisory: https://github.com/openobserve/openobserve/security/advisories/GHSA-c856-2xpx-gw75
Restart Required: Yes
Instructions:
1. Backup your OpenObserve configuration and data. 2. Stop the OpenObserve service. 3. Update to version 0.16.0 or later using your deployment method (Docker, Kubernetes, binary). 4. Restart the service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Manual Token Invalidation
allManually revoke all existing invitation tokens and reissue new ones
# Requires administrative access to OpenObserve database
# SQL to invalidate tokens: UPDATE invitation_tokens SET valid = false WHERE created_at < NOW();
🧯 If You Can't Patch
- Implement strict monitoring of user access logs for unexpected login attempts from removed users.
- Establish a process to manually revoke all invitation tokens whenever a user is removed from the organization.
🔍 How to Verify
Check if Vulnerable:
Check if your OpenObserve version is below 0.16.0 using the version API endpoint or interface.Check Version:
curl -X GET http://your-openobserve-server:5080/api/versionVerify Fix Applied:
After updating to 0.16.0, test that invitation tokens expire properly and are invalidated when users are removed.📡 Detection & Monitoring
Log Indicators:
- User login from previously removed email addresses
- Multiple successful logins from the same invitation token
- Role escalation events without proper authorization
Network Indicators:
- Unusual API calls to invitation endpoints from unexpected sources
SIEM Query:
source="openobserve" (event="user_login" AND user_email IN (SELECT removed_users FROM hr_system)) OR (event="role_change" AND NOT auth_method="admin_console")