CVE-2026-45292 opentelemetry-java: Unbounded Memory Allocation in W3C Baggage Propagation

🗓️ 28 May 2026 16:37:29Reported by GitHub_MType

CVE-2026-45292: Oversized baggage parsing causes unbounded memory in OpenTelemetry Java; fixed in 1.62.0.

Reporter	Title	Published	Views	Family All 15
ATTACKERKB	CVE-2026-45292	28 May 202616:37	–	attackerkb
CNNVD	OpenTelemetry 安全漏洞	28 May 202600:00	–	cnnvd
CVE	CVE-2026-45292	28 May 202616:37	–	cve
EUVD	EUVD-2026-32953	28 May 202616:37	–	euvd
Github Security Blog	OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation	14 May 202616:36	–	github
NVD	CVE-2026-45292	28 May 202617:16	–	nvd
OSV	GHSA-RCGG-9C38-7XPX OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation	14 May 202616:36	–	osv
OSV	ROOT-APP-MAVEN-CVE-2026-45292 CVE-2026-45292 in io.root.io.opentelemetry:opentelemetry-api - Patched by Root	16 Jun 202611:54	–	osv
Positive Technologies	PT-2026-41161	14 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-45292	2 Jun 202614:43	–	redhatcve

[
  {
    "vendor": "open-telemetry",
    "product": "opentelemetry-java",
    "versions": [
      {
        "version": "< 1.62.0",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "io.opentelemetry",
    "product": "opentelemetry-api",
    "versions": [
      {
        "version": "1.62.0",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "io.opentelemetry",
    "product": "opentelemetry-extension-trace-propagators",
    "versions": [
      {
        "version": "1.62.0",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/open-telemetry/opentelemetry-java/releases/tag/v1.62.0
github	www.github.com/open-telemetry/opentelemetry-java/commit/03837d3c1763bc35464aea1078671e2ef2336a5f
github	www.github.com/open-telemetry/opentelemetry-java/security/advisories/GHSA-rcgg-9c38-7xpx
github	www.github.com/open-telemetry/opentelemetry-java/pull/8380

28 May 2026 16:37Current

CVSS 3.15.3

EPSS0.00501

CWE-770