PT-2026-54845 · Unknown · @Opentelemetry/Instrumentation

Decsecre583

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-54712

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions OpenTelemetry Java Instrumentation versions prior to 2.27.0
Description An issue exists in the RMI context propagation payload reader where the number of context entries is limited, but the aggregate size of the strings read from the stream is not. An attacker capable of reaching an RMI endpoint on an instrumented JVM can send an oversized context propagation payload, causing excessive memory allocation and potentially leading to a denial of service. This affects deployments where RMI instrumentation is enabled and the RMI endpoint is network-reachable.
Recommendations Update to version 2.27.0. As a temporary mitigation, disable RMI instrumentation or restrict network access to the RMI endpoint.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54712

Affected Products

@Opentelemetry/Instrumentation