CVE-2026-29181 | THREATINT

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.

PUBLISHED Reserved 2026-03-04 | Published 2026-04-07 | Updated 2026-04-08 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

>= 1.36.0, < 1.41.0

affected

References

github.com/...try-go/security/advisories/GHSA-mh2q-q3fh-2475

cve.org (CVE-2026-29181)

nvd.nist.gov (CVE-2026-29181)

Download JSON