Denial of Service Vulnerability in OpenTelemetry-Go by OpenTelemetry
CVE-2026-41178
5.3MEDIUM
What is CVE-2026-41178?
A Denial of Service vulnerability exists in OpenTelemetry-Go, where versions 1.41.0 and 1.43.0 lack proper handling of oversized or invalid baggage headers. This flaw allows attackers to send large inputs which can overwhelm the processing capabilities, leading to potential service downtime. The vulnerability has been addressed in subsequent releases, specifically in versions 1.42.0 and 1.44.0, which restore proper raw-length rejection mechanisms.
Affected Version(s)
go.opentelemetry.io/otel/baggage = 1.41.0 = 1.41.0
go.opentelemetry.io/otel/baggage = 1.43.0 = 1.43.0
go.opentelemetry.io/otel/propagation = 1.41.0 = 1.41.0
