CVE-2026-39882

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H                                    

Vulnerability Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.

Vulnerability Details

Published Date

April 08, 2026

Last Modified

April 09, 2026

CWE ID

CWE-789

Source

NVD

Vendor

open-telemetry

Product

opentelemetry-go

External References

https://github.com/open-telemetry/opentelemetry-go/pull/8108
https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58

CVE-2026-39882

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment