CVE-2026-40182

Name of the Vulnerable Software and Affected Versions OpenTelemetry dotnet versions 1.13.1 through 1.15.1

Description When exporting telemetry to a back-end or collector over gRPC or HTTP using the OpenTelemetry Protocol (OTLP) format, unsuccessful requests (HTTP 4xx or 5xx) result in the response being read into memory without an upper bound on the number of bytes consumed. This can lead to memory exhaustion and a denial-of-service condition in the consuming application if the configured back-end or collector endpoint is attacker-controlled or if a network attacker performs a Man-in-the-Middle (MitM) attack to return an extremely large response body.

Recommendations Update to version 1.15.2.