Medium severity5.3NVD Advisory· Published Apr 23, 2026· Updated Apr 28, 2026
CVE-2026-40894
CVE-2026-40894
Description
OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenTelemetry.ApiNuGet | >= 0.5.0-beta.2, < 1.15.3 | 1.15.3 |
OpenTelemetry.Extensions.PropagatorsNuGet | >= 1.3.1, < 1.15.3 | 1.15.3 |
Affected products
3- cpe:2.3:a:opentelemetry:opentelemetry.api:*:*:*:*:*:.net:*:*Range: >=0.5.0,<1.15.3
- cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:*:*:*:*:*:*:*:*Range: >1.3.0,<1.15.3
- cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*Range: >=0.5.0,<1.15.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/open-telemetry/opentelemetry-dotnet/pull/1048nvdIssue TrackingPatchWEB
- github.com/open-telemetry/opentelemetry-dotnet/pull/3244nvdIssue TrackingPatchWEB
- github.com/open-telemetry/opentelemetry-dotnet/pull/3309nvdIssue TrackingPatchWEB
- github.com/open-telemetry/opentelemetry-dotnet/pull/533nvdIssue TrackingPatchWEB
- github.com/open-telemetry/opentelemetry-dotnet/pull/7061nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-g94r-2vxg-569jghsaADVISORY
- github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569jnvdVendor AdvisoryMitigationWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40894ghsaADVISORY
- github.com/open-telemetry/opentelemetry-dotnet/pull/3533ghsaWEB
- github.com/open-telemetry/opentelemetry-dotnet/releases/tag/core-1.15.3ghsaWEB
News mentions
0No linked articles in our index yet.