Denial of Service Vulnerability in OpenTelemetry .NET Framework by OpenTelemetry
CVE-2026-40891

5.3MEDIUM

Key Information:

Vendor

Open-telemetry

Status
Opentelemetry-dotnet
Opentelemetry.exporter.opentelemetryprotocol
Vendor
CVE Published:
23 April 2026

What is CVE-2026-40891?

In the OpenTelemetry .NET telemetry framework, versions ranging from 1.13.1 up to, but not including, 1.15.2 are affected by a vulnerability related to the gRPC exporter handling server-provided grpc-status-details-bin trailers during telemetry exports. Specifically, if a malformed trailer is encountered, it could result in excessive memory allocation due to an extremely large length-delimited protobuf field being decoded directly. This condition creates a pathway for potential denial of service attacks, impacting application availability. Users are advised to upgrade to version 1.15.2 or later to mitigate this issue.

Affected Version(s)

opentelemetry-dotnet >= 1.13.1, < 1.15.3

OpenTelemetry.Exporter.OpenTelemetryProtocol >= 1.13.1, < 1.15.3

References

https://github.com/open-telemetry/opentelemetry-dotnet/se...
x_refsource_CONFIRM
https://github.com/open-telemetry/opentelemetry-dotnet/pu...
x_refsource_MISC
https://github.com/open-telemetry/opentelemetry-dotnet/pu...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.