CVE-2025-66223

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-66223

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66223.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-66223

Aliases

GHSA-c856-2xpx-gw75

Published

2025-11-29T02:45:42.467Z

Modified

2026-03-10T21:52:50.473022Z

Severity

8.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenObserve's Invite Token Lifecycle Misconfiguration

Details

OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issued links remain valid simultaneously. This results in broken access control where a removed or demoted user can regain access or escalate privileges. This issue has been patched in version 0.16.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66223.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-284",
        "CWE-613"
    ]
}

References

Affected packages

Git / github.com/openobserve/openobserve

Affected ranges

Type

GIT

Repo

https://github.com/openobserve/openobserve

Events

Introduced

Fixed

bde0099cd3562b03ec274f4748ae32ef8e6b4bb9

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.16.0"
        }
    ]
}

Affected versions

v0.*

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.10.0

v0.10.1

v0.10.2

v0.10.2-rc1

v0.10.3

v0.10.4

v0.10.5

v0.10.6

v0.10.6-rc1

v0.10.6-rc2

v0.10.7

v0.10.7-rc1

v0.10.7-rc2

v0.10.7-rc3

v0.10.8

v0.10.8-rc1

v0.10.8-rc2

v0.10.8-rc3

v0.10.8-rc4

v0.10.8-rc5

v0.10.9

v0.10.9-rc1

v0.10.9-rc2

v0.10.9-rc3

v0.10.9-rc4

v0.11.0

v0.11.0-rc1

v0.11.0-rc2

v0.11.0-rc3

v0.12.0

v0.12.0-rc1

v0.12.0-rc2

v0.12.1

v0.13.0

v0.13.0-rc1

v0.13.0-rc2

v0.13.1

v0.13.1-rc1

v0.13.1-rc2

v0.13.1-rc3

v0.13.2-rc1

v0.13.2-rc2

v0.13.2-rc3

v0.13.2-rc4

v0.14.0

v0.14.1

v0.14.1-rc1

v0.14.1-rc2

v0.14.1-rc3

v0.14.2

v0.14.3

v0.14.3-rc1

v0.14.3-rc2

v0.14.3-rc3

v0.14.4

v0.14.5

v0.14.5-rc1

v0.14.5-rc2

v0.14.5-rc3

v0.14.5-rc4

v0.14.5-rc5

v0.14.5-rc6

v0.14.6

v0.14.6-rc1

v0.14.6-rc2

v0.14.6-rc3

v0.14.6-rc4

v0.14.6-rc5

v0.14.6-rc6

v0.14.6-rc7

v0.14.6-rc8

v0.14.7

v0.15.0

v0.15.0-rc1

v0.15.0-rc2

v0.15.0-rc3

v0.15.0-rc5

v0.16.0-rc1

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.4.9

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0

v0.7.0-rc1

v0.7.0-rc2

v0.7.2

v0.7.2-rc1

v0.8.0

v0.8.0-rc1

v0.8.0-rc2

v0.8.1

v0.8.1-rc1

v0.8.1-rc2

v0.8.2-rc1

v0.8.2-rc2

v0.8.2-rc3

v0.8.2-rc4

v0.8.2-rc5

v0.8.2-rc6

v0.8.2-rc7

v0.9.0-rc1

v0.9.0-rc2

v0.9.0-rc3

v0.9.0-rc4

v0.9.0-rc5

v0.9.0-rc6

v0.9.0-rc7

v0.9.0-rc8

v0.9.1

v0.9.2-rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66223.json"