Baggage Propagation Memory Vulnerability in OpenTelemetry Java by OpenTelemetry
CVE-2026-45292

5.3MEDIUM

What is CVE-2026-45292?

A vulnerability in the baggage propagation implementation of the opentelemetry-java project, prior to version 1.62.0, leads to unbounded memory allocation and increased CPU consumption when parsing oversized baggage. As baggage is re-injected into every outgoing request, the impact can propagate to downstream services, creating potential denial-of-service conditions without direct involvement of the malicious request. This vulnerability has been addressed in version 1.62.0.

Affected Version(s)

opentelemetry-api 1.62.0

opentelemetry-extension-trace-propagators 1.62.0

opentelemetry-java < 1.62.0

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.