Home

Description

opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0.

PUBLISHED Reserved 2026-05-11 | Published 2026-05-28 | Updated 2026-05-28 | Assigner GitHub_M




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

< 1.62.0
affected

1.62.0
affected

1.62.0
affected

References

github.com/...y-java/security/advisories/GHSA-rcgg-9c38-7xpx

github.com/open-telemetry/opentelemetry-java/pull/8380

github.com/...ommit/03837d3c1763bc35464aea1078671e2ef2336a5f

github.com/...emetry/opentelemetry-java/releases/tag/v1.62.0

cve.org (CVE-2026-45292)

nvd.nist.gov (CVE-2026-45292)

Download JSON