QSearchQSearch

CVE-2026-24051

7.0 HIGH

OpenTelemetry-Go is the Go implementation of OpenTelemetry

Published: 2026-02-02 · Last updated: 2026-06-15

Severity and scoring

CVSS
7.0 HIGH
Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-426

Affected products

VendorProduct
opentelemetryopentelemetry

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-44967 OpenTelemetry-cpp is the C++ implementation of OpenTelemetry (5.3 MEDIUM)
  • CVE-2026-45686 OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (7.5 HIGH)
  • CVE-2026-45685 OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (7.5 HIGH)
  • CVE-2026-45684 OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (4.9 MEDIUM)
  • CVE-2026-45683 OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard (3.8 LOW)

Same CWE

  • CVE-2026-53865 OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service path... (7.1 HIGH)
  • CVE-2026-53858 OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bu... (7.1 HIGH)
  • CVE-2026-53846 OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the ... (7.1 HIGH)
  • CVE-2026-53842 OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runti... (7.1 HIGH)
  • CVE-2026-54055 Kitty is a cross-platform GPU based terminal (5.0 MEDIUM)