CVE-2025-66223 HIGH

CVE-2025-66223: OpenObserve's Invite Token Lifecycle Misconfiguration

Vendor Openobserve
Product openobserve
Weakness CWE-613 · Insufficient session expiration
Published November 29, 2025
Last update December 1, 2025

CVSS base score

8.4/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issued links remain valid simultaneously. This results in broken access control where a removed or demoted user can regain access or escalate privileges. This issue has been patched in version 0.16.0.

Key dates

02Disclosure timeline

November 29, 2025 CVE published
December 1, 2025 Record updated