CVE-2026-42191
Description
OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk was set but OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH was not configured. The exporter stored and loaded *.blob files under fixed, signal-named subdirectories (traces, metrics, logs) beneath that shared temporary root path. On multi-user systems where the temporary directory is accessible to other local accounts, this allows an attacker to write crafted *.blob files, read *.blob files written by the application between export failures, or deposit numerous or oversized blob files, degrading retry-loop performance or consuming disk space. This vulnerability is fixed in 1.15.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenTelemetry.Exporter.OpenTelemetryProtocolNuGet | >= 1.8.0, < 1.15.3 | 1.15.3 |
Affected products
5- Range: >= 1.8.0, <= 1.15.2
- osv-coords4 versionspkg:apk/chainguard/azure-functions-hostpkg:apk/chainguard/promitorpkg:apk/wolfi/promitorpkg:nuget/opentelemetry.exporter.opentelemetryprotocol
< 4.1048.200-r1+ 3 more
- (no CPE)range: < 4.1048.200-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: < 2.15.0-r1
- (no CPE)range: >= 1.8.0, < 1.15.3
Patches
Vulnerability mechanics
References
5- github.com/open-telemetry/opentelemetry-dotnet/pull/7106nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-4625-4j76-fww9ghsaADVISORY
- github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-4625-4j76-fww9nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42191ghsaADVISORY
- github.com/open-telemetry/opentelemetry-dotnet/commit/78dffdc5ebdf3dc090fdb94e3f1a32d3d1e26dfdghsaWEB
News mentions
0No linked articles in our index yet.