CVE-2026-41178

MEDIUM

OpenTelemetry-Go's baggage parsing no longer caps raw header length

Title source: cna

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835

X_Refsource_Misc x_refsource_misc

https://github.com/open-telemetry/opentelemetry-go/pull/7880

Scores

CVSS v3 5.3

EPSS 0.0042

EPSS Percentile 33.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-789

Status published

Products (8)

open-telemetry/go.opentelemetry.io/otel/baggage = 1.41.0

open-telemetry/go.opentelemetry.io/otel/baggage = 1.43.0

open-telemetry/go.opentelemetry.io/otel/propagation = 1.41.0

open-telemetry/go.opentelemetry.io/otel/propagation = 1.43.0

otel/baggage 1.41.0 - 1.42.0Go

otel/baggage 1.43.0 - 1.44.0Go

otel/propagation 1.41.0 - 1.42.0Go

otel/propagation 1.43.0 - 1.44.0Go

Published Jun 04, 2026

Tracked Since Jun 04, 2026