Vulnerability Details CVE-2026-39882
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.4%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2026-39882
-
cpe:2.3:a:opentelemetry:opentelemetry:-
-
cpe:2.3:a:opentelemetry:opentelemetry:0.43.0
-
cpe:2.3:a:opentelemetry:opentelemetry:0.44.0
-
cpe:2.3:a:opentelemetry:opentelemetry:0.45.0
-
cpe:2.3:a:opentelemetry:opentelemetry:0.46.0