Access Control Flaw in OpenObserve by OpenObserve
CVE-2025-66223

8.4HIGH

Key Information:

Vendor: Openobserve
Status: Openobserve
Vendor: CVE Published:; 29 November 2025

🔔 Create Openobserve Vulnerability Alert

What is CVE-2025-66223?

OpenObserve, a cloud-native observability platform, has a flaw in its management of organization invitation tokens prior to version 0.16.0. These tokens do not expire after issuance, remaining valid even after a user is removed from the organization. This vulnerability allows for multiple invitations to be sent to the same email address with different roles, meaning that users who have been removed or demoted can still access the system or escalate their privileges. The issue has been remediated in version 0.16.0.

Affected Version(s)

openobserve < 0.16.0

References

https://github.com/openobserve/openobserve/security/advis...

x_refsource_CONFIRM

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 29, 2025
Vulnerability Reserved
Nov 24, 2025

JSON