CVE-2025-66223

CVSS v4.0

8.4

Vector

AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenObserve versions prior to 0.16.0

Description OpenObserve is a cloud-native observability platform. Organization invitation tokens did not expire after being issued and remained valid even after a user was removed from the organization. Multiple invitations to the same email address with different roles also resulted in all issued links remaining valid simultaneously. This created a broken access control issue, allowing removed or demoted users to regain access or escalate privileges.

Recommendations Update to version 0.16.0 or later.

Fix

Insufficient Session Expiration

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613CWE-284

Related Identifiers

CVE-2025-66223

GHSA-C856-2XPX-GW75

Affected Products

Openobserve

CVE-2025-66223

Weakness Enumeration

Related Identifiers

Affected Products

References · 4