PT-2026-54844 · Opentelemetry · @Opentelemetry/Instrumentation

Fwinkler79

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-54704

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends. This issue has been fixed in version 2.28.0.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54704

Affected Products

@Opentelemetry/Instrumentation