PT-2026-41784 · Opentelemetry · @Opentelemetry/Instrumentation
Mralias
·
Published
2026-05-18
·
Updated
2026-06-25
·
CVE-2026-45679
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
OpenTelemetry eBPF Instrumentation versions prior to 0.9.0
Description
OpenTelemetry eBPF Instrumentation exports raw Redis error text as the span status message. Because Redis error replies can contain sensitive values or attacker-controlled data, this behavior can lead to the exfiltration of tokens, personally identifiable information (PII), or other confidential input into telemetry backends. Additionally, it allows the injection of untrusted text into downstream analysis systems. The issue occurs because the
getRedisError() function trims the raw error buffer and stores it directly in request.DBError.Description, which is subsequently returned as the exported status message for Redis spans when the span status is non-zero, without any sanitization beyond CRLF trimming.Recommendations
Update to version 0.9.0.
Exploit
Fix
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Opentelemetry/Instrumentation