Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66223

CVE-2025-66223: OpenObserve Privilege Escalation Flaw

CVE-2025-66223 is a privilege escalation vulnerability in OpenObserve caused by non-expiring invitation tokens that allow removed users to regain access. This article covers technical details, affected versions, and patches.

Published:

CVE-2025-66223 Overview

CVE-2025-66223 is a broken access control vulnerability [CWE-284] in OpenObserve, a cloud-native observability platform. Versions prior to 0.16.0 issue organization invitation tokens that never expire. The tokens remain valid after the invited user is removed from the organization. The platform also accepts multiple concurrent invitations to the same email with different roles, leaving every issued link active. A removed or demoted user can reuse a prior invitation link to regain access or escalate privileges. The OpenObserve maintainers patched the issue in version 0.16.0.

Critical Impact

Removed users can re-enter organizations and stale invitation links can be used to escalate privileges, breaking tenant isolation guarantees.

Affected Products

  • OpenObserve versions prior to 0.16.0
  • OpenObserve self-hosted deployments using organization invitations
  • OpenObserve multi-tenant environments relying on role-based access control

Discovery Timeline

  • 2025-11-29 - CVE-2025-66223 published to the National Vulnerability Database (NVD)
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-66223

Vulnerability Analysis

The vulnerability resides in OpenObserve's organization invitation workflow. The platform generates a token-bearing link when an administrator invites a user to an organization. The token has no expiration time, no single-use enforcement, and no revocation tied to organization membership state.

When an administrator removes a user from an organization, the previously issued invitation token remains accepted by the server. A user who retained a copy of the original email or link can replay the token to rejoin the organization with the role originally granted.

The issue is compounded by the platform's handling of concurrent invitations. If an administrator issues several invitations to the same email address with different roles, for example viewer then admin, every issued link stays active simultaneously. The recipient can choose which token to redeem, including one carrying a higher role than the current intended assignment.

Root Cause

The root cause is missing lifecycle enforcement on invitation artifacts [CWE-284]. Invitation tokens are issued without an expiration timestamp, are not invalidated when the underlying membership changes, and are not deduplicated per recipient. Authorization decisions trust the token in isolation rather than reconciling it with the current membership and role state.

Attack Vector

The attack requires a network-reachable OpenObserve instance and user interaction to redeem the invitation link. An attacker with prior membership or a previously issued invitation can replay the stored token after their access has been revoked or downgraded. A demoted user holding an older higher-privilege invitation can redeem it to escalate back to administrator. No exploit code is publicly available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified proof-of-concept code is published. See the GitHub Security Advisory GHSA-c856-2xpx-gw75 for vendor-provided technical detail.

Detection Methods for CVE-2025-66223

Indicators of Compromise

  • Successful organization join events from users previously removed from that organization.
  • Role changes that occur immediately after an invitation redemption rather than an administrator action.
  • Multiple active invitation tokens issued to the same email address with differing role assignments.
  • Invitation redemptions occurring days or weeks after the original invitation was sent.

Detection Strategies

  • Correlate user_removed events with subsequent invitation_redeemed events for the same email address.
  • Audit the invitations table for tokens lacking an expires_at value or carrying duplicate recipients.
  • Alert when a user's effective role increases without a corresponding administrator action in the audit log.

Monitoring Recommendations

  • Forward OpenObserve audit logs to a centralized SIEM and retain invitation and membership events for at least 90 days.
  • Review organization membership weekly and compare current rosters against the prior week to identify silent re-adds.
  • Monitor authentication logs for accounts that authenticate after being removed from all organizations.

How to Mitigate CVE-2025-66223

Immediate Actions Required

  • Upgrade OpenObserve to version 0.16.0 or later on all self-hosted and managed instances.
  • Revoke and reissue any outstanding invitations created before the upgrade.
  • Audit current organization membership against expected rosters and remove any unauthorized users.
  • Force re-authentication for all organization members after applying the patch.

Patch Information

The vendor patched CVE-2025-66223 in OpenObserve version 0.16.0. The fix enforces invitation token expiration, invalidates tokens when a user is removed from an organization, and prevents multiple concurrent invitations to the same email with different roles. Refer to the OpenObserve GitHub Security Advisory for release details.

Workarounds

  • If immediate upgrade is not possible, manually purge pending invitation records from the database after each user removal.
  • Restrict who can issue organization invitations to a small group of trusted administrators.
  • Require invited users to redeem links within a short, manually tracked window and revoke unused invitations.
bash
# Configuration example: verify installed OpenObserve version and upgrade
openobserve --version
# Upgrade container deployments to the patched release
docker pull public.ecr.aws/zinclabs/openobserve:v0.16.0
docker stop openobserve && docker rm openobserve
docker run -d --name openobserve \
  -p 5080:5080 \
  -e ZO_ROOT_USER_EMAIL="admin@example.com" \
  -e ZO_ROOT_USER_PASSWORD="<rotated-password>" \
  public.ecr.aws/zinclabs/openobserve:v0.16.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.