High severity7.0NVD Advisory· Published Apr 8, 2026· Updated Apr 10, 2026
CVE-2026-39883
CVE-2026-39883
Description
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
go.opentelemetry.io/otel/sdkGo | >= 1.15.0, < 1.43.0 | 1.43.0 |
Affected products
1- cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:*Range: >=1.15.0,<1.43.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhxnvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-hfvc-g4fc-pqhxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-39883ghsaADVISORY
- github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.