CVE-2026-41484

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Exporter.OneCollector versions prior to 1.15.1

Description When exporting telemetry to a back-end or collector over HTTP, the HttpJsonPostTransport class reads the entire response body into memory without an upper bound if the request results in an unsuccessful HTTP 4xx or 5xx response. An attacker who controls the configured endpoint or intercepts traffic via a man-in-the-middle attack can return an arbitrarily large response body. This leads to unbounded heap allocation, causing high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process, resulting in a denial-of-service condition.

Recommendations Update to version 1.15.1. Use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the configured back-end or collector endpoint.