SQL Injection Vulnerability in OpenTelemetry Java Instrumentation
CVE-2026-54704
6.5MEDIUM
What is CVE-2026-54704?
The OpenTelemetry Java Instrumentation has a vulnerability where, in versions prior to 2.28.0, the JDBC auto-instrumentation module may fail to properly sanitize database passwords embedded in SQL CONNECT statements when enclosed in double quotes. This oversight could lead to the exposure of sensitive, clear-text database credentials within trace span attributes, which, if exported to observability backends, could facilitate unauthorized data access. The issue has been resolved in version 2.28.0, reinforcing the security of sensitive information.
Affected Version(s)
opentelemetry-java-instrumentation < 2.28.0
