PT-2026-41784 · Opentelemetry · @Opentelemetry/Instrumentation

Mralias

·

Published

2026-05-18

·

Updated

2026-06-25

·

CVE-2026-45679

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions prior to 0.9.0
Description OpenTelemetry eBPF Instrumentation exports raw Redis error text as the span status message. Because Redis error replies can contain sensitive values or attacker-controlled data, this behavior can lead to the exfiltration of tokens, personally identifiable information (PII), or other confidential input into telemetry backends. Additionally, it allows the injection of untrusted text into downstream analysis systems. The issue occurs because the getRedisError() function trims the raw error buffer and stores it directly in request.DBError.Description, which is subsequently returned as the exported status message for Redis spans when the span status is non-zero, without any sanitization beyond CRLF trimming.
Recommendations Update to version 0.9.0.

Exploit

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45679
GHSA-8RRQ-WCG8-CV5Q
GO-2026-5265

Affected Products

@Opentelemetry/Instrumentation