OpenTelemetry: Five CVEs Across Go, Java, JS, and .NET SDKs Disclosed Together
Five vulnerabilities spanning four OpenTelemetry language SDKs — Go, Java, JavaScript, and .NET — were disclosed in a 48-hour window, including a high-severity crash bug in the JS Prometheus exporter and a medium-severity TLS validation gap in the Instana exporter.
Key findings
- CVE-2026-44902 (CVSS 7.5) crashes Node.js processes via a single malformed HTTP request to the Prometheus metrics endpoint
- CVE-2026-45287 leaks file descriptors on every successful ParseFile call in the Go schema package
- CVE-2026-41178 is a DoS regression in Go baggage parsing after a PR removed raw-length caps
- CVE-2026-45292 affects Java SDK baggage propagation prior to version 1.62.0
- CVE-2026-44213 bypasses TLS certificate validation in the .NET Instana exporter when a proxy is configured
- All five CVEs have patches available; no active exploitation reported
The OpenTelemetry project disclosed five CVEs across four of its language SDKs between May 26 and May 28, 2026, covering denial-of-service, resource exhaustion, and TLS certificate validation weaknesses. The batch touches the Go, Java, JavaScript, and .NET implementations, making it one of the broadest same-week advisory drops for the observability framework this year.
Go SDK: File descriptor leak and baggage parsing regression
Two of the five CVEs affect the Go SDK (opentelemetry-go). CVE-2026-45287 (Low severity) is a file descriptor leak in the schema package (go.opentelemetry.io/otel/schema/v1.0 and v1.1). The ParseFile function opens a schema file and passes it to Parse without closing the handle. In a long-running telemetry pipeline, repeated schema parsing can exhaust the process's file descriptor limit, leading to service degradation.
CVE-2026-41178 (Medium severity) is a denial-of-service regression in the Go SDK's baggage parsing. A prior commit (PR #7880) removed the raw-length rejection that capped oversized baggage headers. Without that check, Parse processes arbitrarily large or malformed baggage strings, logging errors for each invalid member and consuming CPU/memory. An attacker sending oversized baggage headers can degrade or halt the receiving process.
Java SDK: Baggage parsing DoS
CVE-2026-45292 (CVSSv3 5.3, Medium) affects the Java SDK (opentelemetry-java) versions prior to 1.62.0. The vulnerability resides in the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage headers can trigger excessive resource consumption, enabling a denial-of-service condition. The fix is available in version 1.62.0 of the Java SDK.
JavaScript SDK: Unhandled crash in Prometheus exporter
The highest-severity CVE in the batch is CVE-2026-44902 (CVSSv3 7.5, High), affecting opentelemetry-js prior to version 0.217.0. The Prometheus exporter's metrics endpoint (listening on 0.0.0.0:9464 by default) lacks error handling around URL parsing. A single malformed HTTP request with an invalid URI causes an uncaught exception that crashes the entire Node.js process. Because the Prometheus endpoint is typically exposed for scraping, this is trivially exploitable by any network-accessible attacker. The fix is in opentelemetry-js 0.217.0.
.NET SDK: TLS certificate validation bypass
CVE-2026-44213 (CVSSv3 6.5, Medium) affects the OpenTelemetry.Exporter.Instana NuGet package prior to version 1.1.0. When a proxy is configured via the INSTANA_ENDPOINT_PROXY environment variable, the exporter does not validate HTTPS/TLS certificates when connecting to the Instana backend. This allows a man-in-the-middle attacker positioned on the network path to intercept or tamper with telemetry data. The fix ships in version 1.1.0 of the package.
Patch status and response
All five CVEs have been addressed in the respective SDK releases: opentelemetry-go (patches in schema package and baggage handling), opentelemetry-java 1.62.0, opentelemetry-js 0.217.0, and OpenTelemetry.Exporter.Instana 1.1.0. Users should update to the latest versions of each SDK. No in-the-wild exploitation has been reported for any of the five CVEs as of the disclosure date.
Why this batch matters
This coordinated disclosure highlights the challenge of maintaining consistent security posture across a multi-language observability framework. While none of the individual bugs are critical on their own, the breadth — four SDKs, three bug classes (DoS, resource leak, TLS bypass) — means that organizations running heterogeneous OpenTelemetry deployments need to patch across their Go, Java, JS, and .NET pipelines simultaneously. The JS Prometheus exporter crash (CVE-2026-44902) is the most urgent given its high severity and trivial exploitability from any network peer.