CVE-2026-39883

HIGH

OpenTelemetry-Go has an incomplete fix for CVE-2026-24051: BSD kenv command not using absolute path enables PATH hijacking

Title source: cna

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.

References (2)

[X_Refsource_Confirm] https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx

[X_Refsource_Misc] http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0

Scores

CVSS v3 7.0

EPSS 0.0001

EPSS Percentile 0.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-426

Status published

Products (3)

open-telemetry/opentelemetry-go >= 1.15.0, < 1.43.0

opentelemetry/opentelemetry 1.15.0 - 1.43.0

otel/sdk 1.15.0 - 1.43.0Go

Published Apr 08, 2026

Tracked Since Apr 09, 2026