CVE-2026-41178
5.3 MEDIUMOpenTelemetry-Go is the Go implementation of OpenTelemetry
Published: 2026-06-04 · Last updated: 2026-06-04
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE
- CWE-789
Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-41178
- [Other]https://github.com/open-telemetry/opentelemetry-go/pull/7880
- [Other]https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835
- [Other]https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835
Related CVEs
Same CWE
- CVE-2026-47734 — Dulwich is a pure-Python implementation of the Git file formats and protocols (5.7 MEDIUM)
- CVE-2026-10142 — kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-i... (7.5 HIGH)
- CVE-2026-52759 — Ghidra before 12.1.1 contains an uncontrolled memory allocation vulnerability in the Mach-O binary parser that allows attackers to cause ... (5.5 MEDIUM)
- CVE-2026-52753 — Ghidra before 12.0.3 contains an out-of-memory vulnerability in the rust_demangle function that allocates unbounded output buffers withou... (5.5 MEDIUM)
- CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)