Baggage Propagation Memory Vulnerability in OpenTelemetry Java by OpenTelemetry
CVE-2026-45292
5.3MEDIUM
What is CVE-2026-45292?
A vulnerability in the baggage propagation implementation of the opentelemetry-java project, prior to version 1.62.0, leads to unbounded memory allocation and increased CPU consumption when parsing oversized baggage. As baggage is re-injected into every outgoing request, the impact can propagate to downstream services, creating potential denial-of-service conditions without direct involvement of the malicious request. This vulnerability has been addressed in version 1.62.0.
Affected Version(s)
opentelemetry-api 1.62.0
opentelemetry-extension-trace-propagators 1.62.0
opentelemetry-java < 1.62.0
