CVE-2026-39883— OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking

EPSS 0.01% · P1 Updated Apr 12, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-39883

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking

Source: NVD (National Vulnerability Database)

Vulnerability Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

不可信的搜索路径

Source: NVD (National Vulnerability Database)

Vulnerability Title

OpenTelemetry-Go 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

OpenTelemetry-Go是OpenTelemetry - CNCF开源的一个开发者工具包。 OpenTelemetry-Go 1.15.0至1.42.0版本存在代码问题漏洞，该漏洞源于路径劫持，可能导致命令执行。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
open-telemetry	opentelemetry-go	>= 1.15.0, < 1.43.0	-

II. Public POCs for CVE-2026-39883

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-39883

请登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: opentelemetry-go

Same vendor: open-telemetry

Same weakness: CWE-426

V. Comments for CVE-2026-39883

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-39883— OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking

I. Basic Information for CVE-2026-39883

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-39883

III. Intelligence Information for CVE-2026-39883

IV. Related Vulnerabilities

V. Comments for CVE-2026-39883

Leave a comment