CVE-2026-42348

Name of the Vulnerable Software and Affected Versions OpenTelemetry.OpAmp.Client versions prior to 0.2.0-alpha.1

Description When receiving responses from the OpAMP server over HTTP, the client allocates an unbounded buffer to read all bytes from the server without an upper limit on the number of bytes consumed. This occurs because the HTTP transport components use the ReadAsByteArrayAsync() function to copy the HttpResponseMessage.Content into a byte array, allowing an unbounded read of the entire HTTP response message. If the configured OpAMP server is attacker-controlled or a network attacker performs a Man-in-the-Middle (MitM) attack, an extremely large response body could lead to memory exhaustion and a denial-of-service condition in the consuming application.

Recommendations Update to version 0.2.0-alpha.1.