EUVD-2026-34288

🗓️ 04 Jun 2026 14:38:23Reported by EUVDType

DoS from oversized baggage headers in versions 1.41.0 and 1.43.0; fixed in 1.42.0 and 1.44.0.

Reporter	Title	Published	Views	Family All 16
ATTACKERKB	CVE-2026-41178	4 Jun 202614:38	–	attackerkb
Circl	CVE-2026-41178	28 May 202617:04	–	circl
CVE	CVE-2026-41178	4 Jun 202614:38	–	cve
Cvelist	CVE-2026-41178 OpenTelemetry-Go's baggage parsing no longer caps raw header length	4 Jun 202614:38	–	cvelist
Debian CVE	CVE-2026-41178	4 Jun 202614:38	–	debiancve
Github Security Blog	opentelemetry-go's baggage parsing no longer caps raw header length	28 May 202617:04	–	github
NVD	CVE-2026-41178	4 Jun 202616:16	–	nvd
OSV	DEBIAN-CVE-2026-41178	4 Jun 202616:16	–	osv
OSV	GHSA-5WRP-CWCJ-Q835 opentelemetry-go's baggage parsing no longer caps raw header length	28 May 202617:04	–	osv
OSV	UBUNTU-CVE-2026-41178	5 Jun 202600:00	–	osv

[
  {
    "enisaIdVendor": [
      {
        "id": "b894fd9f-239c-35e5-9845-533e1f0f77f8",
        "vendor": {
          "name": "open-telemetry"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "0a813fc0-eab4-3438-8fbb-19994e7a909a",
        "product": {
          "name": "go.opentelemetry.io/otel/baggage",
          "vendor": {
            "name": "open-telemetry"
          }
        },
        "product_version": "= 1.41.0"
      },
      {
        "id": "56e92402-11f1-390f-85ed-a8a42da53b2b",
        "product": {
          "name": "go.opentelemetry.io/otel/baggage",
          "vendor": {
            "name": "open-telemetry"
          }
        },
        "product_version": "= 1.43.0"
      },
      {
        "id": "833ecc1d-8fcd-3704-a678-2c46a8d6c972",
        "product": {
          "name": "go.opentelemetry.io/otel/propagation",
          "vendor": {
            "name": "open-telemetry"
          }
        },
        "product_version": "= 1.41.0"
      },
      {
        "id": "b90c0e8d-dd74-3bde-a814-fbad26e8bd90",
        "product": {
          "name": "go.opentelemetry.io/otel/propagation",
          "vendor": {
            "name": "open-telemetry"
          }
        },
        "product_version": "= 1.43.0"
      }
    ]
  }
]

Source	Link
github	www.github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835
github	www.github.com/open-telemetry/opentelemetry-go/pull/7880

04 Jun 2026 15:46Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.3

SSVC