Denial of Service Vulnerability in OpenTelemetry-Go by OpenTelemetry
CVE-2026-41178

5.3MEDIUM

What is CVE-2026-41178?

A Denial of Service vulnerability exists in OpenTelemetry-Go, where versions 1.41.0 and 1.43.0 lack proper handling of oversized or invalid baggage headers. This flaw allows attackers to send large inputs which can overwhelm the processing capabilities, leading to potential service downtime. The vulnerability has been addressed in subsequent releases, specifically in versions 1.42.0 and 1.44.0, which restore proper raw-length rejection mechanisms.

Affected Version(s)

go.opentelemetry.io/otel/baggage = 1.41.0 = 1.41.0

go.opentelemetry.io/otel/baggage = 1.43.0 = 1.43.0

go.opentelemetry.io/otel/propagation = 1.41.0 = 1.41.0

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.