CVE-2026-44967

OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters traces/metrics/logs read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...

Axios 安全漏洞

Axios is an open-source HTTP client developed by Axios. Versions 1.7.0 to 1.15.x of Axios contain security vulnerabilities. These vulnerabilities stem from the lack of enforcement of request and response size limits when using the fetch adapter, which may lead to resource exhaustion...

CVE-2026-41173

The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsyn...

CVE-2026-44219 ciguard: SCA HTTP client reads response body without size cap

ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py call payload = json.loadsresp.read.decode'utf-8' without a maximum-bytes cap. A hostile or compromised endoflife.date /...

CVE-2026-42348

OpenTelemetry.OpAmp.Client (OpenTelemetry .NET) is affected before version 0.2.0-alpha.1. The HTTP transport reads HttpResponseMessage.Content into memory using ReadAsByteArrayAsync without a size cap, allowing an unbounded read of the entire response body. This can cause memory exhaustion in the...

CVE-2026-41484 OpenTelemetry.Exporter.OneCollector vulnerable to denial of service via unbounded HTTP error response body

OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to the configured back-end or collector results in an unsuccessful HTTP 4xx or 5xx response, the HttpJsonPostTransport class reads the...

Allocation of Resources Without Limits or Throttling

Overview OpenTelemetry.Exporter.OneCollector is a The OneCollectorExporter is designed for Microsoft products to send data to public-facing end-points which route to Microsoft's internal data pipeline. It is not meant to be used outside of Microsoft products and is open sourced to demonstrate bes...

OneCollector exporter reads unbounded HTTP response bodies

Summary When exporting telemetry to a back-end/collector over HTTP using the OpenTelemetry.Exporter.OneCollector exporter, if the request results in a unsuccessful request i.e. HTTP 4xx or 5xx, the response is read into memory with no upper-bound on the number of bytes consumed. This could cause...

GHSA-55M9-299J-53C7 OneCollector exporter reads unbounded HTTP response bodies

Summary When exporting telemetry to a back-end/collector over HTTP using the OpenTelemetry.Exporter.OneCollector exporter, if the request results in a unsuccessful request i.e. HTTP 4xx or 5xx, the response is read into memory with no upper-bound on the number of bytes consumed. This could cause...

PT-2026-37115

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Resources.Azure versions prior to 1.15.0-beta.2 Description The AzureVmMetaDataRequestor function makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without a size limit. An...

GHSA-Q834-8QMM-V933 OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies

Summary When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format OTLP, if the request results in a unsuccessful request i.e. HTTP 4xx or 5xx, the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory...

OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP response bodies

Summary When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format OTLP, if the request results in a unsuccessful request i.e. HTTP 4xx or 5xx, the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory...

CVE-2026-41173

The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsyn...

CVE-2026-41173 Unbounded HTTP response body read in OpenTelemetry.Sampler.AWS

The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsyn...

CVE-2026-40182

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format OTLP, if the request results in a unsuccessful request i.e. HTTP 4xx or 5xx, the response is read into memory...

PT-2026-34721

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Sampler.AWS versions prior to 0.1.0-alpha.8 OpenTelemetry.Resources.AWS versions prior to 1.15.1 Description OpenTelemetry.Sampler.AWS and OpenTelemetry.Resources.AWS read unbounded HTTP response bodies from configured endpoints...

OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies

...

CVE-2026-39882

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...

UBUNTU-CVE-2026-39882

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...

CVE-2026-39882 OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters traces/metrics/logs read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is...