CVE-2026-29181— OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
Possible ATT&CK Techniques 1AI
T1496 · Resource HijackingGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-29181
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenTelemetry-Go 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenTelemetry-Go是OpenTelemetry - CNCF开源的一个开发者工具包。 OpenTelemetry-Go 1.36.0至1.40.0版本存在安全漏洞,该漏洞源于多值baggage标头提取独立解析每个标头字段值并跨值聚合成员,可能导致攻击者通过发送大量baggage标头行来放大CPU消耗和内存分配。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| open-telemetry | opentelemetry-go | >= 1.36.0, < 1.41.0 | - |
II. Public POCs for CVE-2026-29181
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-29181
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-29181 (1)
IV. Related Vulnerabilities
Same vendor: open-telemetry
- CVE-2026-42602
azureauthextension Authenticate method does not validate bea - CVE-2026-42191
OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry def - CVE-2026-42348
OpAMP client reads unbounded HTTP response bodies - CVE-2026-41484
OpenTelemetry.Exporter.OneCollector vulnerable to denial of - CVE-2026-41483
Unbounded HTTP response body read in OpenTelemetry.Resources
Same weakness: CWE-770
- CVE-2026-44070
Unbounded realloc in charset conversion - CVE-2026-8488
Allocation of resources without limits or throttling vulnera - CVE-2026-8486
Allocation of resources without limits or throttling vulnera - CVE-2026-8469
Unauthenticated denial-of-service via BEAM atom table exhaus - CVE-2026-9064
389-ds-base: 389-ds-base: unbounded ldap controls count in g
V. Comments for CVE-2026-29181
No comments yet