CVE-2026-29181 PUBLISHED

OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

Assigner: GitHub_M
Reserved: 04.03.2026 Published: 07.04.2026 Updated: 08.04.2026

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	open-telemetry
Product	opentelemetry-go
Versions	Version >= 1.36.0, < 1.41.0 is affected

References

https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE