CVE-2026-41178

Name of the Vulnerable Software and Affected Versions OpenTelemetry Go (affected versions not specified)

Description A denial-of-service issue exists due to the removal of raw-length rejection during baggage header parsing. The Parse function processes arbitrarily large or invalid baggage headers and logs errors, allowing a remote client to trigger excessive CPU and memory consumption. Specifically, in baggage/baggage.go, the parseMember function performs full parsing and PathUnescape on members without a size guard. Additionally, in propagation/baggage.go, parsing errors from attacker-controlled headers are sent to the global error handler, which by default performs logging, potentially amplifying the impact of oversized inputs.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.