OpenTelemetry Protocol Exporter Vulnerability in OpenTelemetry Products
CVE-2026-42191

6.5MEDIUM

Key Information:

Vendor: Open-telemetry
Status: Opentelemetry-dotnet
Vendor: CVE Published:; 12 May 2026

🔔 Create Open-telemetry Vulnerability Alert

What is CVE-2026-42191?

The vulnerability in the OpenTelemetry.Exporter.OpenTelemetryProtocol affects versions 1.8.0 to 1.15.2. It arises from the OTLP disk retry feature, which defaults to using the temporary directory without proper configuration. This oversight allows unauthorized users on multi-user systems to create, manage, or read from .blob files, potentially leading to unauthorized access to data or depletion of disk resources. The issue has been resolved in version 1.15.3, highlighting the importance of implementing adequate configuration for secure operation.

Affected Version(s)

opentelemetry-dotnet >= 1.8.0, < 1.15.3

References

https://github.com/open-telemetry/opentelemetry-dotnet/se...

x_refsource_CONFIRM

https://github.com/open-telemetry/opentelemetry-dotnet/pu...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42191 Data

JSON