CVE-2026-39882
MEDIUMOpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies
Title source: cnaDescription
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58
X_Refsource_Misc x_refsource_misc
https://github.com/open-telemetry/opentelemetry-go/pull/8108
Scores
CVSS v3
5.3
EPSS
0.0019
EPSS Percentile
8.8%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-789
Status
published
Products (4)
open-telemetry/opentelemetry-go
< 1.43.0
opentelemetry/opentelemetry
< 1.43.0
otel/exporters
0 - 0.19.0Go
otel/exporters
0 - 1.43.0 (2 CPE variants)Go
Published
Apr 08, 2026
Tracked Since
Apr 09, 2026