PT-2026-31450 · Freebsd+2 · Freebsd+2

Published

2026-04-08

·

Updated

2026-05-21

·

CVE-2026-39883

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions OpenTelemetry-Go versions 1.15.0 through 1.42.0
Description The fix for a previous issue changed the path used for one command but left another command vulnerable to a PATH hijacking attack on BSD and Solaris platforms. Specifically, the kenv command is executed without an absolute path, allowing an attacker to potentially execute arbitrary code in the context of the application. This occurs when /etc/hostid does not exist, which is common on FreeBSD systems. The attack requires local access to the system. The vulnerable command is `exec.Command("kenv", ...).
Recommendations Update to version 1.43.0 or later.

Exploit

Fix

Untrusted Search Path

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-426

Related Identifiers

CLEANSTART-2026-AP95632
CLEANSTART-2026-BB83999
CLEANSTART-2026-BD19566
CLEANSTART-2026-BN28456
CLEANSTART-2026-BS27946
CLEANSTART-2026-BU39038
CLEANSTART-2026-BU65096
CLEANSTART-2026-CB00984
CLEANSTART-2026-CC08450
CLEANSTART-2026-CD13174
CLEANSTART-2026-CI59834
CLEANSTART-2026-CN84623
CLEANSTART-2026-CZ07385
CLEANSTART-2026-DA99134
CLEANSTART-2026-DN70218
CLEANSTART-2026-DR81473
CLEANSTART-2026-DW32113
CLEANSTART-2026-EI06494
CLEANSTART-2026-EL10860
CLEANSTART-2026-EP10142
CLEANSTART-2026-FA95643
CLEANSTART-2026-FB07695
CLEANSTART-2026-FK40318
CLEANSTART-2026-FR69458
CLEANSTART-2026-FU04414
CLEANSTART-2026-FV86809
CLEANSTART-2026-GB46352
CLEANSTART-2026-GG06672
CLEANSTART-2026-GN78570
CLEANSTART-2026-GY48351
CLEANSTART-2026-HB06257
CLEANSTART-2026-HC15345
CLEANSTART-2026-HE31644
CLEANSTART-2026-HF07497
CLEANSTART-2026-HI89495
CLEANSTART-2026-HK01840
CLEANSTART-2026-IS19112
CLEANSTART-2026-JH93057
CLEANSTART-2026-JK52519
CLEANSTART-2026-JV26120
CLEANSTART-2026-JY63371
CLEANSTART-2026-KF86214
CLEANSTART-2026-KJ58915
CLEANSTART-2026-LM43244
CLEANSTART-2026-LO63022
CLEANSTART-2026-LT10352
CLEANSTART-2026-LU21824
CLEANSTART-2026-MI12470
CLEANSTART-2026-MP82813
CLEANSTART-2026-MW24969
CLEANSTART-2026-MW66533
CLEANSTART-2026-MZ61768
CLEANSTART-2026-NB83265
CLEANSTART-2026-NG28268
CLEANSTART-2026-NS33477
CLEANSTART-2026-NT80635
CLEANSTART-2026-OF37807
CLEANSTART-2026-OH72236
CLEANSTART-2026-OR40192
CLEANSTART-2026-OU18540
CLEANSTART-2026-PB32291
CLEANSTART-2026-PM06830
CLEANSTART-2026-PM81907
CLEANSTART-2026-PT56560
CLEANSTART-2026-QO29688
CLEANSTART-2026-QW08095
CLEANSTART-2026-SO13464
CLEANSTART-2026-TE02851
CLEANSTART-2026-TT42218
CLEANSTART-2026-UW03847
CLEANSTART-2026-UW08576
CLEANSTART-2026-UX07516
CLEANSTART-2026-UY10441
CLEANSTART-2026-VN02574
CLEANSTART-2026-VT65447
CLEANSTART-2026-VZ08395
CLEANSTART-2026-WA14162
CLEANSTART-2026-WB89098
CLEANSTART-2026-WL14185
CVE-2026-39883
GHSA-HFVC-G4FC-PQHX

Affected Products

Freebsd
Opentelemetry-Go
Solaris