CVE-2026-41178 PUBLISHED

OpenTelemetry-Go's baggage parsing no longer caps raw header length

Assigner: GitHub_M
Reserved: 17.04.2026 Published: 04.06.2026 Updated: 04.06.2026

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	open-telemetry
Product	go.opentelemetry.io/otel/baggage
Versions	Version = 1.41.0 is affected Version = 1.43.0 is affected

Vendor	open-telemetry
Product	go.opentelemetry.io/otel/propagation
Versions	Version = 1.41.0 is affected Version = 1.43.0 is affected

References

Problem Types

CWE-789: Memory Allocation with Excessive Size Value CWE