PT-2026-31449 · Opentelemetry · Opentelemetry-Go

Published

2026-04-01

·

Updated

2026-05-26

·

CVE-2026-39882

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions OpenTelemetry-Go versions prior to 1.43.0
Description The otlp HTTP exporters (traces, metrics, logs) in OpenTelemetry-Go versions prior to 1.43.0 read the full HTTP response body into an in-memory bytes.Buffer without a size limit. This can lead to memory exhaustion if the configured collector endpoint is controlled by an attacker, or if a network attacker can perform a man-in-the-middle (mitm) attack on the exporter connection. A malicious collector can force large memory allocations during export, potentially crashing the instrumented process. The vulnerable code is located in the following files: exporters/otlp/otlptrace/otlptracehttp/client.go, exporters/otlp/otlpmetric/otlpmetrichttp/client.go, and exporters/otlp/otlplog/otlploghttp/client.go.
Recommendations Update to OpenTelemetry-Go version 1.43.0 or later.

Fix

Weakness Enumeration

CWE-789

Related Identifiers

BDU:2026-05818
CLEANSTART-2026-AP95632
CLEANSTART-2026-AQ65185
CLEANSTART-2026-BG69533
CLEANSTART-2026-BU65096
CLEANSTART-2026-CD13174
CLEANSTART-2026-CI59834
CLEANSTART-2026-CN84623
CLEANSTART-2026-CZ07385
CLEANSTART-2026-DA99134
CLEANSTART-2026-DM19620
CLEANSTART-2026-DO31246
CLEANSTART-2026-DW32113
CLEANSTART-2026-ET12387
CLEANSTART-2026-FK40318
CLEANSTART-2026-FU04414
CLEANSTART-2026-FV86809
CLEANSTART-2026-GN78570
CLEANSTART-2026-GY48351
CLEANSTART-2026-HI89495
CLEANSTART-2026-HQ88036
CLEANSTART-2026-HU33730
CLEANSTART-2026-JG72006
CLEANSTART-2026-JY63371
CLEANSTART-2026-KT28044
CLEANSTART-2026-MI12470
CLEANSTART-2026-MJ36694
CLEANSTART-2026-MP82813
CLEANSTART-2026-MZ61768
CLEANSTART-2026-NG28268
CLEANSTART-2026-NR54556
CLEANSTART-2026-OI10284
CLEANSTART-2026-OR40192
CLEANSTART-2026-PM81907
CLEANSTART-2026-PT56560
CLEANSTART-2026-PY36202
CLEANSTART-2026-QP84300
CLEANSTART-2026-QS87161
CLEANSTART-2026-QV77143
CLEANSTART-2026-SO13464
CLEANSTART-2026-UG89030
CLEANSTART-2026-UY10441
CLEANSTART-2026-VT65447
CLEANSTART-2026-WA14162
CVE-2026-39882
GHSA-W8RR-5GCM-PP58
GO-2026-4985

Affected Products

Opentelemetry-Go