CVE-2026-40894

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Api versions 0.5.0-beta.2 through 1.15.2 OpenTelemetry.Extensions.Propagators versions 1.3.1 through 1.15.2

Description Implementation details of the baggage, B3, and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory during parsing. This occurs because certain methods eagerly allocate intermediate arrays before applying size limits, and the BaggagePropagator.Inject<T>() function may fail to enforce length limits when injected baggage contains only one item. This behavior can lead to a denial of service (DoS) in the consuming application when processing excessively large or malformed propagation headers. The affected functions include BaggagePropagator.Extract<T>(), BaggagePropagator.Inject<T>(), B3Propagator.Extract<T>(), and JaegerPropagator.Extract<T>().

Recommendations Update OpenTelemetry.Api to version 1.15.3. Update OpenTelemetry.Extensions.Propagators to version 1.15.3. Configure appropriate HTTP request header limits. Disable baggage or trace propagation as a temporary workaround.