CVE-2026-40891 OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol OTLP, the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could...

CVE-2026-40182

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format OTLP, if the request results in a unsuccessful request i.e. HTTP 4xx or 5xx, the response is read into memory...

CVE-2026-40182 OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format OTLP, if the request results in a unsuccessful request i.e. HTTP 4xx or 5xx, the response is read into memory...

CVE-2026-40182

OpenTelemetry dotnet OTLP exporter (versions 1.13.1–1.15.1) is affected. When exporting via gRPC/HTTP and the response status is 4xx/5xx, the client reads the entire HTTP response body into memory without an upper bound. This can cause memory exhaustion in the consuming application if the back-en...

CVE-2026-40182 OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format OTLP, if the request results in a unsuccessful request i.e. HTTP 4xx or 5xx, the response is read into memory...

OpenTelemetry .NET 安全漏洞

OpenTelemetry .NET is the .NET client of OpenTelemetry developed by OpenTelemetry Inc. OpenTelemetry .NET versions 1.6.0-rc.1 and earlier have a security vulnerability. This vulnerability arises from the internal pooling list size growing due to a large number of spans/tags, which may lead to...

OpenTelemetry .NET 安全漏洞

OpenTelemetry .NET is the .NET client of OpenTelemetry developed by OpenTelemetry Inc. Versions of OpenTelemetry .NET from 1.13.1 to 1.15.2 contained a security vulnerability. This vulnerability stemmed from the unlimited response reading during the OTLP protocol export process, which could lead ...

PT-2026-34708

Name of the Vulnerable Software and Affected Versions OpenTelemetry dotnet versions 1.13.1 through 1.15.1 Description When exporting telemetry over gRPC using the OpenTelemetry Protocol OTLP, the exporter may parse a server-provided 'grpc-status-details-bin' trailer during retry handling. A...

PT-2026-34707

Name of the Vulnerable Software and Affected Versions OpenTelemetry dotnet versions 1.13.1 through 1.15.1 Description When exporting telemetry to a back-end or collector over gRPC or HTTP using the OpenTelemetry Protocol OTLP format, unsuccessful requests HTTP 4xx or 5xx result in the response...

OpenTelemetry .NET 安全漏洞

OpenTelemetry .NET is the .NET client of OpenTelemetry developed by OpenTelemetry Inc. There is a security vulnerability in OpenTelemetry .NET, which stems from the implementation details of baggage, B3, and Jaeger handling code. This vulnerability may lead to excessive memory allocation during...

CVE-2026-41242 vulnerabilities

Vulnerabilities for packages: gemini-cli, renovate, kubeflow-centraldashboard, langfuse, pulumi, vitess, kibana, langfuse-fips, opentelemetry-auto-instrumentations-node, librechat, jitsucom-jitsu...

GHSA-XQ3M-2V4X-88GG vulnerabilities

Vulnerabilities for packages: gemini-cli, renovate, kubeflow-centraldashboard, langfuse, pulumi, vitess, kibana, langfuse-fips, opentelemetry-auto-instrumentations-node, librechat, jitsucom-jitsu...

Allocation of Resources Without Limits or Throttling

Overview OpenTelemetry.Exporter.Jaeger is a Jaeger exporter for OpenTelemetry .NET Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the span and tag conversion. An attacker can drive sustained memory pressure and denial of service by...

PT-2026-33598

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Exporter.Jaeger affected versions not specified Description This issue allows sustained memory pressure when the internal pooled-list sizing grows based on a large observed span or tag set and that enlarged size is reused for...

OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR

Summary A flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection is enabled and OBI is running with elevated privileges. The injector trusted TMPDIR from the target process and used unsafe file creation...

PT-2026-35073

Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions 0.4.0 through 0.7.x Description A flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection is enabled and the...

GHSA-F5V8-V6Q3-Q4H6 Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out)

Summary Meridian v2.1.0 Meridian.Mapping and Meridian.Mediator shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity — the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps are silently bypassed on the IMapper.Mapsource, destination...

CLEANSTART-2026-PM81907 OpenTelemetry-Go is the Go implementation of OpenTelemetry

Multiple security vulnerabilities affect the prometheus package. OpenTelemetry-Go is the Go implementation of OpenTelemetry. See references for individual vulnerability details...

OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

...

OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies

...