Resource Consumption Vulnerability in OpenTelemetry Rust SDK by OpenTelemetry
CVE-2026-48504

5.3MEDIUM

Key Information:

Vendor
CVE Published:
17 July 2026

What is CVE-2026-48504?

The OpenTelemetry Rust SDK, specifically in version 0.32.0 and earlier, introduces a vulnerability in the BaggagePropagator::extract_with_context function. This function neglects to enforce W3C Baggage size limits prior to parsing inbound baggage headers. As a result, an attacker can exploit this oversight by sending large, controlled baggage headers, leading to excessive CPU processing and short-lived heap allocations as the SDK attempts to process these oversized headers. Services that handle untrusted incoming propagation headers are particularly vulnerable, experiencing increased resource usage per request when processing such headers. This issue has been remedied in version 0.32.1.

Affected Version(s)

opentelemetry-rust < 0.32.1

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.