Description
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issued links remain valid simultaneously. This results in broken access control where a removed or demoted user can regain access or escalate privileges. This issue has been patched in version 0.16.0.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/openobserve/openobserve/security/advisories/GHSA-c856-2xpx-gw75
Scores
CVSS v4
8.4
EPSS
0.0025
EPSS Percentile
16.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-284
CWE-613
Status
published
Products (1)
openobserve/openobserve
< 0.16.0
Published
Nov 29, 2025
Tracked Since
Feb 18, 2026