CVE-2026-39883 | THREATINT

Description

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.

PUBLISHED Reserved 2026-04-07 | Published 2026-04-08 | Updated 2026-04-10 | Assigner GitHub_M

HIGH: 7.3CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-426: Untrusted Search Path

Product status

>= 1.15.0, < 1.43.0

affected

References

github.com/...try-go/security/advisories/GHSA-hfvc-g4fc-pqhx

github.com/...elemetry/opentelemetry-go/releases/tag/v1.43.0

cve.org (CVE-2026-39883)

nvd.nist.gov (CVE-2026-39883)

Download JSON