CVE-2026-41178: OpenTelemetry-Go Baggage Parsing DoS Vulnerability
OpenTelemetry-Go versions 1.41.0 and 1.43.0 contain a denial-of-service vulnerability in their baggage header parsing logic. The removal of size validation allows attackers to send oversized or malformed baggage headers that cause the application to process arbitrarily large inputs, log excessive errors, and potentially exhaust system resources. This is a network-accessible vulnerability requiring no authentication, making it exploitable by any remote actor.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-789
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-18
NVD description (verbatim)
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-41178 affects OpenTelemetry-Go's baggage parsing mechanism. Versions 1.41.0 and 1.43.0 removed raw-length rejection validation, allowing the `Parse` function to accept and process baggage headers without size constraints. When malformed or oversized headers are submitted, the library logs errors for each processing attempt, creating an amplification vector for denial-of-service attacks. The vulnerability is classified under CWE-789 (Uncontrolled Memory Allocation). Patched versions 1.42.0 and 1.44.0 restore the size validation controls.
Business impact
Organizations using affected OpenTelemetry-Go versions in production services face availability risk. An attacker can craft requests with large baggage headers to trigger repeated parse failures and error logging, consuming CPU and disk I/O resources. This can degrade application performance, interfere with observability pipelines that rely on OpenTelemetry instrumentation, and potentially trigger cascading failures if error logging saturates log storage. The impact is primarily operational continuity rather than data confidentiality or integrity.
Affected systems
The vulnerability affects OpenTelemetry-Go versions 1.41.0 and 1.43.0. Any Go application that has instrumented its code with OpenTelemetry-Go and exposes HTTP endpoints accepting baggage headers is potentially vulnerable. This includes applications using OpenTelemetry for distributed tracing, metrics, or logs collection. Versions 1.42.0 and 1.44.0 contain the fix and should be targeted for upgrade.
Exploitability
Exploitability is straightforward. The vulnerability requires only network access and no authentication or user interaction. An attacker can craft HTTP requests with intentionally large or malformed baggage headers and send them to any exposed endpoint. The CVSS score of 5.3 (MEDIUM severity) reflects the low attack complexity and network accessibility, balanced against the limited impact (availability only, no confidentiality or integrity loss). The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog, but the simplicity of exploitation means awareness and prompt patching are warranted.
Remediation
Upgrade OpenTelemetry-Go to version 1.42.0 or later (or 1.44.0 if on the later release track). Verify the upgrade path with your dependency management tool and test in a staging environment before production deployment. If immediate upgrading is not feasible, implement network-level controls such as HTTP request filtering to reject baggage headers exceeding a reasonable size threshold (typically under 8 KB), though this should be considered a temporary mitigation only.
Patch guidance
Apply OpenTelemetry-Go version 1.42.0 or 1.44.0 as appropriate for your release track. Consult the OpenTelemetry project's release notes and security advisories to confirm patch applicability and any breaking changes. For Go projects, update your go.mod dependency and run `go get -u` to pull the patched version. Test baggage parsing behavior in your application post-update to ensure no regressions in trace or metrics collection.
Detection guidance
Monitor application logs for a sudden spike in baggage parsing errors or warnings, especially if correlated with unusual HTTP request patterns. Check for log entries indicating parse failures on the baggage header field. Network-level detection could flag HTTP requests with unusually large header values. If using application performance monitoring (APM), watch for elevated error rates or latency spikes that correspond to baggage processing. Correlate with source IP addresses to identify potential attack origins.
Why prioritize this
Although rated MEDIUM severity, this vulnerability should be prioritized for patching based on exploitability and operational risk. The attack requires no authentication, is trivial to execute, and can directly impact application availability. Organizations operating observability-critical services or those running many exposed Go microservices should treat this as a near-term patch candidate. However, it does not warrant emergency response procedures reserved for critical or high-severity vulnerabilities.
Risk score, explained
The CVSS 5.3 score reflects a network-accessible, unauthenticated attack vector with low complexity, but impact limited to availability (no confidentiality or integrity compromise). The score correctly captures that this is a denial-of-service issue with moderate risk—serious enough to merit prompt remediation, but not as urgent as vulnerabilities enabling code execution or data exfiltration.
Frequently asked questions
Which versions of OpenTelemetry-Go are vulnerable?
Versions 1.41.0 and 1.43.0 are vulnerable due to the removal of raw-length rejection in baggage header parsing. Versions 1.42.0 and 1.44.0 contain the fix.
Can this vulnerability lead to data breach or code execution?
No. CVE-2026-41178 is a denial-of-service vulnerability only. It does not compromise data confidentiality or integrity, nor does it allow arbitrary code execution. The risk is limited to availability impact through resource exhaustion.
How quickly should we patch this?
Given the ease of exploitation and network accessibility, plan patching within 30 days. If your service is exposed to untrusted networks or handles high-value transactions, accelerate to 7–14 days. Non-exposed internal services can follow a standard change window.
If we can't patch immediately, what can we do?
Implement network-level size limits on HTTP headers or use a WAF to reject requests with oversized baggage headers. Filter requests originating from untrusted sources. These are temporary mitigations; prioritize upgrading to a patched version as soon as feasible.
This analysis is based on publicly available vulnerability data as of the publication date. Exploit code or weaponized proof-of-concept demonstrations are not provided. Organizations should verify patch version numbers and availability through official OpenTelemetry release channels and their own package repositories before deployment. Security testing should be performed in non-production environments. SEC.co makes no warranty regarding the completeness or accuracy of mitigations suggested; consult your security team and vendor advisories for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk
- CVE-2019-25716MEDIUMDräger Patient Monitor Denial-of-Service Vulnerability