CVE-2026-29181

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions OpenTelemetry-Go versions 1.36.0 through 1.40.0

Description The OpenTelemetry-Go implementation is susceptible to a remote request amplification issue due to the way it handles multi-value baggage headers. Specifically, the extractMultiBaggage function in propagation/baggage.go parses each baggage header field-value independently and aggregates the results. An attacker can exploit this by sending numerous baggage header lines, even if each individual value is within the 8192-byte limit, leading to increased CPU usage and memory allocations. This can result in higher latency and potential denial-of-service conditions. The vulnerability is related to the parsing of headers received in HTTP requests. The vulnerable function is extractMultiBaggage.

Recommendations Update to version 1.41.0 or later.

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

CLEANSTART-2026-BR79647

CLEANSTART-2026-DH72490

CLEANSTART-2026-EI06494

CLEANSTART-2026-GB36430

CLEANSTART-2026-GJ69402

CLEANSTART-2026-GQ00159

CLEANSTART-2026-GZ35045

CLEANSTART-2026-JQ70227

CLEANSTART-2026-LA07853

CLEANSTART-2026-LG79681

CLEANSTART-2026-MJ60235

CLEANSTART-2026-MV81821

CLEANSTART-2026-NT80635

CLEANSTART-2026-OD56729

CLEANSTART-2026-OX51942

CLEANSTART-2026-QO29688

CLEANSTART-2026-QR52625

CLEANSTART-2026-QX43073

CLEANSTART-2026-RZ44006

CLEANSTART-2026-TH33219

CLEANSTART-2026-UY49411

CVE-2026-29181

GHSA-MH2Q-Q3FH-2475

Affected Products

Opentelemetry-Go

CVE-2026-29181

Weakness Enumeration

Related Identifiers

Affected Products

References · 249