OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking
Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
go.opentelemetry.io/otel/sdkGo | >= 1.21.0, < 1.40.0 | 1.40.0 |
Affected products
1- Range: bridge/opencensus/test/v0.44.0, bridge/opencensus/test/v0.45.0, bridge/opencensus/test/v1.23.0, …
Patches
1d45961bcda45resource: specify full path for ioreg command in Darwin host ID reader (#7818)
2 files changed · +3 −2
CHANGELOG.md+1 −0 modified@@ -32,6 +32,7 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm - Fix bad log message when key-value pairs are dropped because of key duplication in `go.opentelemetry.io/otel/sdk/log`. (#7662) - Fix `DroppedAttributes` on `Record` in `go.opentelemetry.io/otel/sdk/log` to not count the non-attribute key-value pairs dropped because of key duplication. (#7662) - Fix `SetAttributes` on `Record` in `go.opentelemetry.io/otel/sdk/log` to not log that attributes are dropped when they are actually not dropped. (#7662) +- `WithHostID` detector in `go.opentelemetry.io/otel/sdk/resource` to use full path for `ioreg` command on Darwin (macOS). (#7818) - Fix missing `request.GetBody` in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` to correctly handle HTTP2 GOAWAY frame. (#7794) <!-- Released section -->
sdk/resource/host_id.go+2 −2 modified@@ -51,11 +51,11 @@ type hostIDReaderDarwin struct { execCommand commandExecutor } -// read executes `ioreg -rd1 -c "IOPlatformExpertDevice"` and parses host id +// read executes `/usr/sbin/ioreg -rd1 -c "IOPlatformExpertDevice"` and parses host id // from the IOPlatformUUID line. If the command fails or the uuid cannot be // parsed an error will be returned. func (r *hostIDReaderDarwin) read() (string, error) { - result, err := r.execCommand("ioreg", "-rd1", "-c", "IOPlatformExpertDevice") + result, err := r.execCommand("/usr/sbin/ioreg", "-rd1", "-c", "IOPlatformExpertDevice") if err != nil { return "", err }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9h8m-3fm2-qjrqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24051ghsaADVISORY
- github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53ghsax_refsource_MISCWEB
- github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrqghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4394ghsaWEB
News mentions
0No linked articles in our index yet.