Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

open-telemetry — Vulnerabilities & Security Advisories 24

Browse all 24 CVE security advisories affecting open-telemetry. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenTelemetry serves as a vendor-agnostic framework for generating, collecting, and exporting telemetry data, primarily supporting observability in cloud-native environments. Despite its utility in monitoring system performance, the project has recorded twenty-one Common Vulnerabilities and Exposures (CVEs), reflecting inherent risks in complex distributed systems. Historically, these security issues have predominantly stemmed from improper input validation, leading to remote code execution and cross-site scripting vulnerabilities, alongside occasional privilege escalation flaws arising from insufficient access controls. While no single catastrophic incident has defined the project’s history, the accumulation of these defects highlights the challenges of maintaining security in open-source infrastructure tools. Developers must rigorously audit dependencies and enforce strict input sanitization to mitigate these persistent threats, ensuring that the widespread adoption of telemetry does not inadvertently expand the attack surface for critical enterprise applications.

Top products by open-telemetry: opentelemetry-dotnet opentelemetry-go opentelemetry-go-contrib opentelemetry-dotnet-contrib opentelemetry-java-instrumentation opentelemetry-collector-contrib opentelemetry-python-contrib opentelemetry-collector opentelemetry-ebpf-instrumentation
CVE IDTitleCVSSSeverityPublished
CVE-2026-41484 OpenTelemetry.Exporter.OneCollector vulnerable to denial of service via unbounded HTTP error response body — opentelemetry-dotnet-contribCWE-770 5.3 Medium2026-05-06
CVE-2026-41483 Unbounded HTTP response body read in OpenTelemetry.Resources.Azure — opentelemetry-dotnet-contribCWE-770 5.9 Medium2026-05-06
CVE-2026-41310 OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth — opentelemetry-dotnetCWE-770 5.3 Medium2026-05-06
CVE-2026-41433 OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR — opentelemetry-ebpf-instrumentationCWE-22 8.4 High2026-04-24
CVE-2026-41173 Unbounded HTTP response body read in OpenTelemetry.Sampler.AWS — opentelemetry-dotnet-contribCWE-770 5.9 Medium2026-04-23
CVE-2026-41078 OpenTelemetry dotnet: Potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path — opentelemetry-dotnetCWE-770 5.9 Medium2026-04-23
CVE-2026-40894 OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers — opentelemetry-dotnetCWE-789 5.3 Medium2026-04-23
CVE-2026-40891 OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling — opentelemetry-dotnetCWE-789 5.3 Medium2026-04-23
CVE-2026-40182 OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies — opentelemetry-dotnetCWE-789 5.3 Medium2026-04-23
CVE-2026-39883 OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking — opentelemetry-goCWE-426 9.8AICriticalAI2026-04-08
CVE-2026-39882 OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies — opentelemetry-goCWE-789 5.3 Medium2026-04-08
CVE-2026-29181 OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification) — opentelemetry-goCWE-770 7.5 High2026-04-07
CVE-2026-33701 OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution — opentelemetry-java-instrumentationCWE-502 8.1 -2026-03-27
CVE-2026-24051 OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking — opentelemetry-goCWE-426 7.0 High2026-02-02
CVE-2025-27513 OpenTelemetry .NET has a Denial of Service (DoS) Vulnerability in API Package — opentelemetry-dotnetCWE-770 7.5 High2025-03-05
CVE-2024-45043 OpenTelemetry Collector AWS Firehose Receiver Authentication Bypass Vulnerability — opentelemetry-collector-contribCWE-200 5.3 Medium2024-08-28
CVE-2024-42368 open-telemetry has an Observable Timing Discrepancy — opentelemetry-collector-contribCWE-208 6.5 Medium2024-08-13
CVE-2024-36129 OpenTelemetry Collector has a Denial of Service via Zip/Decompression Bomb sent over HTTP or gRPC — opentelemetry-collectorCWE-119 8.2 High2024-06-05
CVE-2024-32028 Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore — opentelemetry-dotnetCWE-212 4.1 Medium2024-04-12
CVE-2023-47108 DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality metrics — opentelemetry-go-contribCWE-770 7.5 High2023-11-10
CVE-2023-45142 OpenTelemetry-Go Contrib has DoS vulnerability in otelhttp due to unbound cardinality metrics — opentelemetry-go-contribCWE-770 7.5 High2023-10-12
CVE-2023-43810 opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics — opentelemetry-python-contribCWE-400 7.5 High2023-10-06
CVE-2023-39951 Instrumentation for AWS SDK v2 captures email content when using Amazon Simple Email Service (SES) v1 API, exposing that content to the telemetry backend — opentelemetry-java-instrumentationCWE-200 6.5 Medium2023-08-08
CVE-2023-25151 DoS vulnerability for high cardinality metrics in opentelemetry-go-contrib — opentelemetry-go-contribCWE-400 7.5 High2023-02-08

This page lists every published CVE security advisory associated with open-telemetry. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.