{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39882", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T20:32:03.010Z", "datePublished": "2026-04-08T20:24:19.246Z", "dateUpdated": "2026-04-09T20:22:03.109Z"}, "containers": {"cna": {"title": "OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies", "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58"}, {"name": "https://github.com/open-telemetry/opentelemetry-go/pull/8108", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-go/pull/8108"}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-go", "versions": [{"version": "< 1.43.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:24:19.246Z"}, "descriptions": [{"lang": "en", "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0."}], "source": {"advisory": "GHSA-w8rr-5gcm-pp58", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T20:21:49.122499Z", "id": "CVE-2026-39882", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:22:03.109Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39882", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T20:21:49.122499Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:21:56.599Z"}}], "cna": {"title": "OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies", "source": {"advisory": "GHSA-w8rr-5gcm-pp58", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-go", "versions": [{"status": "affected", "version": "< 1.43.0"}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58", "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/open-telemetry/opentelemetry-go/pull/8108", "name": "https://github.com/open-telemetry/opentelemetry-go/pull/8108", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:24:19.246Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39882", "state": "PUBLISHED", "dateUpdated": "2026-04-09T20:22:03.109Z", "dateReserved": "2026-04-07T20:32:03.010Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T20:24:19.246Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:*", "matchCriteriaId": "48C60612-5E76-4FB5-8E3B-070E51A1455B", "versionEndExcluding": "1.43.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0."}], "id": "CVE-2026-39882", "lastModified": "2026-04-09T18:39:55.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T21:17:00.547", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/open-telemetry/opentelemetry-go/pull/8108"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.43.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "opentelemetry-go", "source": "cna", "vendor": "open-telemetry"}, "product": "opentelemetry-go", "vendor": "opentelemetry"}], "analysis": {"en": {"generated_at": "2026-04-09T19:23:54.290466+00:00", "value": {"mitigation_remediation": ["Upgrade to opentelemetry-go version 1.43.0 or newer.", "Ensure the collector endpoint is secure and not controlled by an adversary.", "Monitor memory usage of exporter processes for sudden growth.", "If upgrading immediately is not possible, consider network-level controls to limit response sizes."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "OpenTelemetry-Go, the Go implementation of OpenTelemetry, is affected in all versions prior to 1.43.0. Users running any of those versions with OTLP HTTP exporters for traces, metrics, or logs are vulnerable. The product is identified as open-telemetry:opentelemetry-go. No specific patch versions beyond 1.43.0 are listed in the advisory.", "description_and_impact": "OpenTelemetry-Go's OTLP HTTP exporters read the entire HTTP response body into an in-memory buffer without a size limit. This results in uncontrolled memory consumption when the collector endpoint is controlled by an attacker or can be MITM, potentially exhausting system memory and causing a denial of service.\n\nAn attacker can trigger the issue by directing the exporter to a malicious or spoofed endpoint that sends large body payloads, or by intercepting the network traffic to inject a similarly large response. The flaw exemplifies a CWE-789 vulnerability where unbounded data is accepted.\n\nThe impact is a local denial of service on any system running the exporter, which could interrupt telemetry collection and affect system availability.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity vulnerability. An EPSS score of less than 1% suggests a low probability of exploitation. It is not listed in the CISA KEV catalogue. Exploitation requires the ability to control or intercept the collector endpoint, which typically involves remote or network-level access. The vulnerability can lead to a local denial of service, which may be significant in systems requiring high availability."}}}}, "created": "2026-04-09T08:17:58.831102+00:00", "updated": "2026-04-10T09:40:34.791426+00:00", "vendors": ["opentelemetry", "opentelemetry$PRODUCT$opentelemetry-go"]}