VYPR
High severity7.5NVD Advisory· Published Apr 7, 2026· Updated Apr 14, 2026

CVE-2026-29181

CVE-2026-29181

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
go.opentelemetry.io/otelGo
>= 1.36.0, < 1.41.01.41.0

Affected products

789

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.