Denial of Service Vulnerability in OpenTelemetry Java Instrumentation
CVE-2026-54712
5.3MEDIUM
What is CVE-2026-54712?
OpenTelemetry Java Instrumentation allows RMI context propagation, but prior to version 2.27.0, it inadequately limits the size of strings in its payload. This flaw permits attackers to exploit reachable RMI endpoints by sending oversized payloads, resulting in excessive memory allocation and potentially creating conditions for denial of service. The vulnerability is particularly concerning for deployments with RMI instrumentation enabled. Version 2.27.0 addresses this issue.
Affected Version(s)
opentelemetry-java-instrumentation < 2.27.0
