VYPR
Vendor

Opentelemetry

Products
21
CVEs
47
Across products
53
Status
Private

Products

21

Recent CVEs

47
View all 47 CVEs →
  • CVE-2026-41433HigApr 24, 2026
    risk 0.55cvss 8.4epss 0.00

    OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection is…

  • CVE-2026-44902HigMay 27, 2026
    risk 0.49cvss 7.5epss 0.00

    opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a…

  • CVE-2026-42602HigMay 13, 2026
    risk 0.46cvss 8.1epss 0.00

    azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate…

  • CVE-2026-45686HigJun 2, 2026
    risk 0.42cvss 7.5epss 0.00

    OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, a remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service.…

  • CVE-2026-45685HigJun 2, 2026
    risk 0.42cvss 7.5epss 0.00

    OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.1.0 to before version 0.9.0, malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to…

  • CVE-2026-45678HigJun 2, 2026
    risk 0.42cvss 7.5epss 0.00

    OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Postgres protocol parser assumes BIND message payloads contain a valid NUL-terminated portal name. A crafted empty or unterminated payload can make…

  • CVE-2026-29181HigApr 7, 2026
    risk 0.42cvss 7.5epss 0.00

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many…

  • CVE-2025-27513HigMar 5, 2025
    risk 0.42cvss 7.5epss 0.00

    OpenTelemetry dotnet is a dotnet telemetry framework. A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. Even if an application does not explicitly use trace context…

  • CVE-2026-39883HigApr 8, 2026
    risk 0.39cvss 7.0epss 0.00

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris…

  • CVE-2026-24051HigFeb 2, 2026
    risk 0.39cvss 7.0epss 0.00

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system…

  • CVE-2026-47701higJun 10, 2026
    risk 0.38cvss epss 0.00

    ## Affected Repository: github.com/open-telemetry/opentelemetry-operator Component: cmd/otel-allocator (TargetAllocator) Companion: Prometheus Operator API types (CRDs) ## Summary OpenTelemetry Operator's TargetAllocator watches `ServiceMonitor` resources via the Prometheus…

  • CVE-2026-45679MedJun 2, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this…

  • CVE-2026-44213MedMay 26, 2026
    risk 0.35cvss 6.5epss 0.00

    The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using…

  • CVE-2026-42191MedMay 12, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath() when…

  • CVE-2024-42368MedAug 13, 2024
    risk 0.35cvss 6.5epss 0.01

    OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple,…

  • CVE-2026-45681MedJun 2, 2026
    risk 0.31cvss 5.9epss 0.00

    OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the per-CPU message-buffer fallback path uses a 256-byte backup buffer but preserves the original payload size, which can be up to 8KB. If a CPU mismatch…

  • CVE-2026-45680MedJun 2, 2026
    risk 0.31cvss 5.9epss 0.00

    OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very…

  • CVE-2026-42348MedMay 12, 2026
    risk 0.31cvss 5.9epss 0.00

    OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes…

  • CVE-2026-41483MedMay 6, 2026
    risk 0.31cvss 5.9epss 0.00

    OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size…

  • CVE-2026-41173MedApr 23, 2026
    risk 0.31cvss 5.9epss 0.00

    The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. …