OpenTelemetry: Five CVEs Across Go, Java, JS, and .NET SDKs Disclosed Together
Five vulnerabilities spanning four OpenTelemetry language SDKs were disclosed in a 48-hour window, including a high-severity crash bug in the JS Prometheus exporter and a medium-severity TLS validation gap in the Instana exporter.
The OpenTelemetry project disclosed five CVEs across four of its language SDKs between May 26 and May 28, 2026, covering denial-of-service, resource exhaustion, and TLS certificate validation weaknesses. The batch touches the Go, Java, JavaScript, and .NET implementations, making it one of the broadest same-week advisory drops for the observability framework this year.
Two of the five CVEs affect the Go SDK (opentelemetry-go). CVE-2026-45287 (Low severity) is a file descriptor leak in the schema package. The ParseFile function opens a schema file and passes it to Parse without closing the handle, potentially exhausting file descriptors in long-running telemetry pipelines. CVE-2026-41178 (Medium severity) is a denial-of-service regression in baggage parsing after a prior commit removed raw-length caps, allowing oversized baggage headers to degrade or halt the receiving process.
CVE-2026-45292 (CVSSv3 5.3, Medium) affects the Java SDK (opentelemetry-java) versions prior to 1.62.0. The vulnerability resides in the baggage propagation implementation, where parsing oversized baggage headers can trigger excessive resource consumption, enabling a denial-of-service condition. The fix is available in version 1.62.0.
The highest-severity CVE is CVE-2026-44902 (CVSSv3 7.5, High), affecting opentelemetry-js prior to version 0.217.0. The Prometheus exporter's metrics endpoint lacks error handling around URL parsing, so a single malformed HTTP request with an invalid URI causes an uncaught exception that crashes the entire Node.js process. Because the Prometheus endpoint is typically exposed for scraping, this is trivially exploitable by any network-accessible attacker.
CVE-2026-44213 (CVSSv3 6.5, Medium) affects the OpenTelemetry.Exporter.Instana NuGet package prior to version 1.1.0. When a proxy is configured via the INSTANA_ENDPOINT_PROXY environment variable, the exporter does not validate HTTPS/TLS certificates when connecting to the Instana backend, allowing a man-in-the-middle attacker to intercept or tamper with telemetry data.
All five CVEs have been addressed in the respective SDK releases: opentelemetry-go (patches in schema package and baggage handling), opentelemetry-java 1.62.0, opentelemetry-js 0.217.0, and OpenTelemetry.Exporter.Instana 1.1.0. Users should update to the latest versions of each SDK. No in-the-wild exploitation has been reported for any of the five CVEs as of the disclosure date.
This coordinated disclosure highlights the challenge of maintaining consistent security posture across a multi-language observability framework. While none of the individual bugs are critical on their own, the breadth — four SDKs, three bug classes (DoS, resource leak, TLS bypass) — means that organizations running heterogeneous OpenTelemetry deployments need to patch across their Go, Java, JS, and .NET pipelines simultaneously. The JS Prometheus exporter crash (CVE-2026-44902) is the most urgent given its high severity and trivial exploitability from any network peer.