CVE-2026-45292: OpenTelemetry Java Baggage DoS Vulnerability – Patch & Detection Guide
OpenTelemetry Java is a popular library used by applications to record performance and diagnostic data. This vulnerability affects how it processes baggage—metadata that flows across service calls in distributed systems. An attacker can send oversized baggage that causes affected services to consume excessive memory and CPU, leading to denial of service. Because baggage is automatically forwarded to downstream services, the impact spreads beyond the initial target, potentially degrading performance across your entire microservices architecture.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-770
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-07-06
NVD description (verbatim)
opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the baggage propagation implementation within opentelemetry-api and opentelemetry-extension-trace-propagators (versions prior to 1.62.0). The baggage parser fails to enforce limits on allocation size, permitting an unauthenticated remote attacker to craft oversized baggage headers that trigger unbounded memory and CPU consumption. The propagation mechanism automatically injects baggage into outgoing requests, causing affected services to re-transmit the malicious payload downstream, amplifying the attack's scope across service meshes without requiring direct exploitation of each target.
Business impact
This vulnerability creates a cascading denial-of-service risk in microservices environments. An attacker targeting a single ingress point can degrade or exhaust resources across multiple dependent services simultaneously. For organizations relying on OpenTelemetry for observability in production systems, this can manifest as latency spikes, service unavailability, or customer-facing outages. The fanout effect is particularly dangerous in high-scale deployments where baggage propagation touches dozens of services, multiplying remediation complexity.
Affected systems
Any application using OpenTelemetry Java (opentelemetry-api or opentelemetry-extension-trace-propagators) in versions prior to 1.62.0 is vulnerable. This includes services instrumented for distributed tracing, especially those deployed in containerized or Kubernetes environments where automatic baggage propagation is standard practice. Java microservices, Spring Boot applications, Quarkus services, and other frameworks that integrate OpenTelemetry for telemetry collection are at risk if not updated.
Exploitability
Exploitation requires no authentication or special privileges. An attacker only needs to craft an HTTP request with a maliciously oversized baggage header and send it to any exposed service running vulnerable OpenTelemetry versions. The attack is trivial to execute and can be launched remotely over the network. No user interaction or complex preconditions are required. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects this low barrier to exploitation.
Remediation
Upgrade opentelemetry-api and opentelemetry-extension-trace-propagators to version 1.62.0 or later. This release includes fixes that enforce proper size limits on baggage parsing, preventing unbounded allocation. Organizations should prioritize upgrades in environments where OpenTelemetry is actively instrumented for tracing, particularly those exposed to untrusted network traffic.
Patch guidance
Update your OpenTelemetry Java dependencies to 1.62.0 or newer. If using a dependency management tool (Maven, Gradle, etc.), update the version constraint in your build file and rebuild all affected services. For containerized deployments, rebuild container images with the patched libraries and perform a controlled rolling update to minimize service disruption. Test in a staging environment first to ensure compatibility with your instrumentation setup and downstream telemetry collectors. Verify that trace propagation continues to function correctly after patching.
Detection guidance
Monitor for HTTP requests with unusually large baggage header values (typically transmitted as W3C Baggage or other standardized headers). Set alerting on application memory usage spikes or CPU consumption increases that correlate with requests from external sources. Observe logs for repeated allocations or parsing warnings related to baggage processing. Network-level detection can flag requests with oversized custom headers targeting baggage fields. Inspect access logs for patterns of requests with abnormally large trace or baggage metadata.
Why prioritize this
Although the CVSS score is moderate (5.3), the practical risk is elevated due to the effortless exploitability, the lack of authentication requirements, and the fanout effect across your service dependencies. In multi-tier architectures, a single malicious request can cascade into resource exhaustion across many systems, making this a significant operational risk despite the absence of confidentiality or integrity impact. Patch deployment should be prioritized for any service exposed to the internet or untrusted networks.
Risk score, explained
The CVSS score of 5.3 reflects a network-accessible vulnerability with low attack complexity and no privilege or user interaction requirements (AV:N/AC:L/PR:N/UI:N), resulting in denial of service impact (A:L). The score does not capture the propagation amplification factor inherent to distributed tracing systems, which security teams should factor into their risk assessment independently. While not critical, the ease of exploitation and broad blast radius in microservices environments warrant urgent attention.
Frequently asked questions
Will upgrading to 1.62.0 break my existing trace collection or observability setup?
No. Version 1.62.0 adds input validation and size limits but maintains full API compatibility with prior versions. Trace collection, propagation, and instrumentation continue to function normally. You may see a reduction in pathological allocations, but legitimate tracing workflows are unaffected.
How do I know if my services are using a vulnerable version of OpenTelemetry Java?
Check your build configuration files (pom.xml for Maven, build.gradle for Gradle) for the declared version of opentelemetry-api and opentelemetry-extension-trace-propagators. Additionally, examine runtime artifacts in your container images or application libraries. Many dependency scanning tools can automatically flag vulnerable versions.
Can this vulnerability be exploited if my services are behind a firewall or API gateway?
The vulnerability requires network access to a service running vulnerable OpenTelemetry code. If your services accept HTTP requests (which they must to be exploited), and an attacker can send crafted headers to them, the vulnerability applies. API gateways do not inherently mitigate this risk unless they actively validate or truncate oversized baggage headers.
What if I don't use distributed tracing or baggage propagation explicitly?
If OpenTelemetry is included as a transitive dependency or auto-instrumentation is enabled, baggage propagation may still be active by default. Review your classpath and OpenTelemetry agent configuration. Even if you do not actively use baggage, the automatic propagation mechanism can still be triggered by malicious requests, so upgrades remain necessary.
This analysis is provided for informational purposes to assist security teams in vulnerability assessment and remediation planning. The vulnerability details and patch information are based on the published CVE record and vendor advisory. Organizations should verify patch availability and compatibility in their specific environments before deployment. No exploit code or weaponized proof-of-concept is provided. Security teams should conduct internal testing before applying patches to production systems. This document does not constitute legal advice or guarantee protection from all exploitation scenarios. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability
- CVE-2026-40898MEDIUMquic-go HTTP/3 Trailer Memory Exhaustion DoS
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-44545MEDIUMDaphne WebSocket Denial of Service via Unlimited Payload Size
- CVE-2026-45023MEDIUMAutoGPT Credit Bypass in Block Execution API
- CVE-2026-45078MEDIUMSynapse Denial-of-Service via CPU Exhaustion (v1.152.1+)
- CVE-2026-45352MEDIUMcpp-httplib Negative Chunk Size Denial of Service