PT-2026-52642 · Unknown · Opentelemetry Sdk

Published

2026-06-25

·

Updated

2026-06-25

·

CVE-2026-48504

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions opentelemetry sdk versions prior to 0.32.1
Description The BaggagePropagator::extract with context() function in the opentelemetry sdk fails to enforce W3C Baggage size limits before parsing an inbound baggage header. An attacker can provide a large header to cause excessive CPU usage and short-lived heap allocations during the parsing of entries that are subsequently discarded by the SDK storage limits. This can lead to a denial-of-service condition for services accepting untrusted propagation headers, particularly if transport-level header limits are absent or exceed W3C specifications.
Recommendations Upgrade to version 0.32.1 or later. As a temporary workaround, reject or limit inbound baggage headers larger than 8192 bytes at a proxy, gateway, middleware layer, or custom carrier boundary before invoking OpenTelemetry propagation extraction.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-48504
GHSA-W9WP-H8WV-79JX

Affected Products

Opentelemetry Sdk