VYPR
Low severityGHSA Advisory· Published Jun 4, 2026· Updated Jun 8, 2026

CVE-2026-45287

CVE-2026-45287

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, go.opentelemetry.io/otel/schema/v1.0 and go.opentelemetry.io/otel/schema/v1.1 leaks one file descriptor on each successful ParseFile call. ParseFile opens the schema file and passes it to Parse without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
go.opentelemetry.io/otel/schema/v1.1Go
< 0.0.170.0.17
go.opentelemetry.io/otel/schema/v1.0Go
< 0.0.170.0.17

Affected products

1

Patches

Vulnerability mechanics

References

5

News mentions

1