0perator (>=0.1.0 <=0.3.0), 0pflow (>=0.1.0 <=0.1.0-dev.f5622ac) +1825 more potentially affected by CVE-2026-44902 via @opentelemetry/exporter-prometheus (>=0.10.2 <=0.216.0)

@opentelemetry/exporter-prometheus NPM version =0.10.2, =0.1.0, =0.1.0, =0.1.1, =0.0.1, =0.8.0, =0.1.1, =0.1.1, =0.1.1, =0.1.8, =0.1.5, =0.0.0-dev-nicolas-fix-publishing-aurora-mcp-1750279939, =0.0.65, =0.3.4, =0.1.0, =0.4.0, =5.0.1-staging.f17326334 and more Source cves: CVE-2026-44902 Source...

PT-2026-39676

Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. You...

GHSA-WFR5-454P-MJC2 OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured

Summary The OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANAENDPOINTPROXY environment variable. If a network attacker can Man-in-the-Middle MitM the...

OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured

Summary The OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANAENDPOINTPROXY environment variable. If a network attacker can Man-in-the-Middle MitM the...

opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay

Summary A server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azureauth. The extension's Authenticate metho...

CVE-2026-41483

OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker w...

CVE-2026-41310

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spa...

EUVD-2026-28222

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spa...

CVE-2026-41310 OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spa...

CVE-2026-41310

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spa...

CVE-2026-41310

OpenTelemetry.Exporter.Zipkin for .NET (Zipkin exporter) has an unbounded remote endpoint cache in versions up to 1.15.2, where keys derived from span attributes can grow without bound in high-cardinality scenarios, leading to memory growth and degraded availability. The issue is addressed in ver...

OpenTelemetry 安全漏洞

OpenTelemetry is an open-source, vendor-neutral, open-source observability framework developed by OpenTelemetry. Versions of OpenTelemetry 1.15.0-beta.1 and earlier contain security vulnerabilities. These vulnerabilities stem from the AzureVmMetaDataRequestor class, which reads response bodies...

OpenTelemetry .NET Contrib 安全漏洞

OpenTelemetry .NET Contrib is an open-source telemetry data collection and processing library developed by OpenTelemetry - CNCF. Versions of OpenTelemetry .NET Contrib prior to 1.15.0 contain security vulnerabilities. These vulnerabilities stem from the HttpJsonPostTransport class, which allows...

PT-2026-38281

Name of the Vulnerable Software and Affected Versions azureauthextension versions 0.124.0 through 0.150.0 Description A server-side authentication bypass exists in the azureauthextension when used by an OpenTelemetry receiver with auth: azure auth. The Authenticate function fails to validate...

GHSA-W2JH-77FQ-7GP8 OpAMP client reads unbounded HTTP response bodies

Summary When receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured OpAMP server i...

actix-web-opentelemetry (>=0.2.0 <=0.17.0), alopex-dataframe (=0.2.0) +197 more potentially affected by CVE-2026-43868 via thrift (>=0.0.4 <=0.17.0)

thrift CARGO version =0.0.4, =0.2.0, =0.3.0, =0.3.5, =0.3.5, =0.2.0, =0.7.0, =0.1.0, =0.1.0, =0.32.1, =0.2.1, =0.5.0 and more Source cves: CVE-2026-43868 Source advisory: OSV:GHSA-2F9F-GQ7V-9H6M...

RHCOS 4 : OpenShift Container Platform 4.13.30 (RHSA-2024:0288)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:0288 advisory. - opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound cardinality metrics CVE-2023-47108 Note that Nessus has not tested f...

PT-2026-36819

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Exporter.OpenTelemetryProtocol versions 1.8.0 through 1.15.2 Description The OTLP disk retry feature silently falls back to Path.GetTempPath when OTEL DOTNET EXPERIMENTAL OTLP RETRY is set to disk but OTEL DOTNET EXPERIMENTAL OTL...

GHSA-VC24-J8C5-2VW4 OpenTelemetry.Resources.Azure has an unbounded HTTP response body read

Summary OpenTelemetry.Resources.Azure reads unbounded HTTP response bodies from the Azure VM remote instance metadata service endpoint into memory. This would allow an attacker-controlled endpoint or one acting as a Man-in-the-Middle MitM to cause excessive memory allocation and possible process...

PT-2026-37116

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Exporter.OneCollector versions prior to 1.15.1 Description When exporting telemetry to a back-end or collector over HTTP, the HttpJsonPostTransport class reads the entire response body into memory without an upper bound if the...