CVE-2025-66223

Name of the Vulnerable Software and Affected Versions OpenObserve versions prior to 0.16.0

Description OpenObserve is a cloud-native observability platform. Organization invitation tokens did not expire after being issued and remained valid even after a user was removed from the organization. Multiple invitations to the same email address with different roles also resulted in all issued links remaining valid simultaneously. This created a broken access control issue, allowing removed or demoted users to regain access or escalate privileges.

Recommendations Update to version 0.16.0 or later.