Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

open-telemetry — Vulnerabilities & Security Advisories 44

Browse all 44 CVE security advisories affecting open-telemetry. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenTelemetry serves as a vendor-agnostic framework for generating, collecting, and exporting telemetry data, primarily supporting observability in cloud-native environments. Despite its utility in monitoring system performance, the project has recorded twenty-one Common Vulnerabilities and Exposures (CVEs), reflecting inherent risks in complex distributed systems. Historically, these security issues have predominantly stemmed from improper input validation, leading to remote code execution and cross-site scripting vulnerabilities, alongside occasional privilege escalation flaws arising from insufficient access controls. While no single catastrophic incident has defined the project’s history, the accumulation of these defects highlights the challenges of maintaining security in open-source infrastructure tools. Developers must rigorously audit dependencies and enforce strict input sanitization to mitigate these persistent threats, ensuring that the widespread adoption of telemetry does not inadvertently expand the attack surface for critical enterprise applications.

Top products by open-telemetry: opentelemetry-ebpf-instrumentation opentelemetry-dotnet opentelemetry-dotnet-contrib opentelemetry-go opentelemetry-go-contrib opentelemetry-collector-contrib opentelemetry-java-instrumentation opentelemetry-js opentelemetry-python-contrib opentelemetry-collector opentelemetry-java go.opentelemetry.io/otel/baggage go.opentelemetry.io/otel/schema/v1.1 opentelemetry-cpp
CVE IDTitleCVSSSeverityPublished
CVE-2026-54285 opentelemetry-js: Unbounded memory allocation in W3C Baggage propagation — opentelemetry-jsCWE-770 5.3 Medium2026-06-22
CVE-2026-44967 opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response — opentelemetry-cppCWE-789 5.3 Medium2026-06-12
CVE-2026-45287 OpenTelemetry-Go's Schema ParseFile leaks file descriptors on each parse — go.opentelemetry.io/otel/schema/v1.1CWE-772--2026-06-04
CVE-2026-41178 OpenTelemetry-Go's baggage parsing no longer caps raw header length — go.opentelemetry.io/otel/baggageCWE-789 5.3 Medium2026-06-04
CVE-2026-45686 OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI — opentelemetry-ebpf-instrumentationCWE-190 7.5 High2026-06-02
CVE-2026-45685 OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages — opentelemetry-ebpf-instrumentationCWE-20 7.5 High2026-06-02
CVE-2026-45684 OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers — opentelemetry-ebpf-instrumentationCWE-126 4.9 Medium2026-06-02
CVE-2026-45683 OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure — opentelemetry-ebpf-instrumentationCWE-127 3.8 Low2026-06-02
CVE-2026-45681 OpenTelemetry eBPF Instrumentation: CPU-mismatch fallback uses 256-byte buffer with 8KB size — opentelemetry-ebpf-instrumentationCWE-125 5.9 Medium2026-06-02
CVE-2026-45680 OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU — opentelemetry-ebpf-instrumentationCWE-400 5.9 Medium2026-06-02
CVE-2026-45679 OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages — opentelemetry-ebpf-instrumentationCWE-117 6.5 Medium2026-06-02
CVE-2026-45678 OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads — opentelemetry-ebpf-instrumentationCWE-20 7.5 High2026-06-02
CVE-2026-45676 OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent — opentelemetry-ebpf-instrumentationCWE-20 5.5 Medium2026-06-02
CVE-2026-45682 OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals — opentelemetry-ebpf-instrumentationCWE-401 5.1 Medium2026-06-02
CVE-2026-45292 opentelemetry-java: Unbounded Memory Allocation in W3C Baggage Propagation — opentelemetry-javaCWE-770 5.3 Medium2026-05-28
CVE-2026-44902 opentelemetry-js: Prometheus exporter process crash via malformed HTTP request — opentelemetry-jsCWE-755 7.5 High2026-05-27
CVE-2026-44213 OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured — opentelemetry-dotnet-contribCWE-295 6.5 Medium2026-05-26
CVE-2026-42602 azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay — opentelemetry-collector-contribCWE-208 8.1 High2026-05-13
CVE-2026-42191 OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry default temp path enables local blob injection for OTLP Exporter — opentelemetry-dotnetCWE-379 6.5 Medium2026-05-12
CVE-2026-42348 OpAMP client reads unbounded HTTP response bodies — opentelemetry-dotnet-contribCWE-789 5.9 Medium2026-05-12
CVE-2026-41484 OpenTelemetry.Exporter.OneCollector vulnerable to denial of service via unbounded HTTP error response body — opentelemetry-dotnet-contribCWE-770 5.3 Medium2026-05-06
CVE-2026-41483 Unbounded HTTP response body read in OpenTelemetry.Resources.Azure — opentelemetry-dotnet-contribCWE-770 5.9 Medium2026-05-06
CVE-2026-41310 OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth — opentelemetry-dotnetCWE-770 5.3 Medium2026-05-06
CVE-2026-41433 OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR — opentelemetry-ebpf-instrumentationCWE-22 8.4 High2026-04-24
CVE-2026-41173 Unbounded HTTP response body read in OpenTelemetry.Sampler.AWS — opentelemetry-dotnet-contribCWE-770 5.9 Medium2026-04-23
CVE-2026-41078 OpenTelemetry dotnet: Potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path — opentelemetry-dotnetCWE-770 5.9 Medium2026-04-23
CVE-2026-40894 OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers — opentelemetry-dotnetCWE-789 5.3 Medium2026-04-23
CVE-2026-40891 OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling — opentelemetry-dotnetCWE-789 5.3 Medium2026-04-23
CVE-2026-40182 OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies — opentelemetry-dotnetCWE-789 5.3 Medium2026-04-23
CVE-2026-39883 OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking — opentelemetry-goCWE-426 9.8AICriticalAI2026-04-08

This page lists every published CVE security advisory associated with open-telemetry. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.