opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response
CVE-2026-44967

5.3MEDIUM

Key Information:

Vendor

Open-telemetry

Status
Opentelemetry-cpp
Vendor
CVE Published:
12 June 2026

What is CVE-2026-44967?

OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.

Affected Version(s)

opentelemetry-cpp < 1.27.0

References

https://github.com/open-telemetry/opentelemetry-cpp/secur...
x_refsource_CONFIRM
https://github.com/open-telemetry/opentelemetry-go/securi...
x_refsource_MISC
https://github.com/open-telemetry/opentelemetry-cpp/issue...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.