CVE-2026-45679: OpenTelemetry eBPF Instrumentation Data Exfiltration via Redis Error Messages
OpenTelemetry eBPF Instrumentation versions before 0.9.0 leak sensitive data through telemetry systems. When Redis commands fail, the instrumentation captures and exports the raw error messages produced by Redis. Attackers or misconfigured systems can craft Redis error responses containing authentication tokens, personally identifiable information, or other secrets. These sensitive values then flow into your telemetry backend—where security teams, SREs, and external monitoring vendors can see them—and may propagate into downstream analysis, alerting, or visualization tools. This is a data exfiltration vulnerability that risks exposing confidential input into systems where it was never intended to be visible.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-117, CWE-532
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis systems. This issue has been patched in version 0.9.0.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45679 is a data exfiltration flaw in OpenTelemetry eBPF Instrumentation (OBI) affecting versions prior to 0.9.0. The vulnerability stems from improper handling of Redis protocol error replies. When OBI instruments Redis client calls, it captures the span status message by directly exporting the raw error text returned by Redis. Redis error replies are unstructured text and can include attacker-controlled content or sensitive values from the client request context. Because the instrumentation layer does not sanitize or filter these messages before exporting them to telemetry backends, confidential data—such as authentication credentials, API keys, database connection strings, or customer PII—can be captured and persisted in observability platforms (e.g., Jaeger, Datadog, New Relic, Prometheus). The vulnerability maps to CWE-117 (Improper Output Neutralization for Logs) and CWE-532 (Insertion of Sensitive Information into Log File), reflecting both the log injection and confidentiality risks.
Business impact
This vulnerability creates a secondary attack surface through your observability infrastructure. Organizations using OBI to instrument Redis calls risk leaking high-value secrets into telemetry backends that may be accessed by a broader set of personnel, archived long-term, or integrated with third-party SaaS providers. Compromised credentials captured in telemetry could enable lateral movement, privilege escalation, or unauthorized access to backend systems. Regulatory exposure is also relevant: sensitive customer data or payment information appearing in logs may trigger GDPR, HIPAA, PCI-DSS, or similar compliance reporting obligations. The risk is compounded if telemetry data is retained across multiple environments (dev, staging, production) or synchronized to external monitoring vendors with varying security postures.
Affected systems
OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 are affected. Any application using OBI to instrument Redis client libraries is at risk. Organizations running containerized or Kubernetes workloads that employ OBI for observability are particularly exposed, as eBPF instrumentation often operates at the host or container level with broad visibility into network traffic. The vulnerability affects all platforms and deployment models where OBI version < 0.9.0 is active.
Exploitability
Exploitability requires no special privileges or user interaction. The vulnerability is triggered passively during normal Redis error responses—any condition that generates a Redis error (invalid credentials, keyspace errors, protocol violations, or malformed commands) can cause sensitive data to leak if that data appears in the error message. An attacker does not need network access to the telemetry backend; they only need to cause a Redis error that contains sensitive content, which the instrumentation will automatically export. This makes the attack surface broad and the exploitability straightforward, though practical impact depends on whether sensitive data naturally appears in Redis error contexts in the target environment.
Remediation
Upgrade OpenTelemetry eBPF Instrumentation to version 0.9.0 or later. The patch removes the raw export behavior and implements sanitization of Redis error text before inclusion in span status messages. Organizations should also review telemetry retention policies and access controls to minimize exposure of any logs captured prior to patching. Consider scanning existing telemetry archives for evidence of leaked credentials or PII using keyword-based detection or regex patterns matching common secret formats.
Patch guidance
Patch by upgrading OBI to version 0.9.0 or later. Verify the upgrade through your package manager or container image repository. Test in non-production environments first to confirm compatibility with your existing observability stack and instrumentation configuration. Once patched, the instrumentation will no longer export raw Redis error text, instead substituting a sanitized span status message. No configuration changes are required; the fix is transparent upon upgrade.
Detection guidance
Search telemetry backend query logs and archives for patterns indicative of exposed secrets: API key formats (e.g., 'sk_', 'pk_', 'Bearer '), database credentials (e.g., 'user=', 'password='), or PII patterns (SSN, credit card BINs, email addresses). Monitor OBI logs and instrumentation metrics for high error rates on Redis calls, which may correlate with attempted credential exfiltration. Review access logs on telemetry backends (Jaeger UI, Datadog, etc.) for unusual queries or exports of sensitive data. Correlate timeline of this advisory with any security incidents involving credential compromise on systems running instrumented Redis clients.
Why prioritize this
Although the CVSS score of 6.5 (MEDIUM) reflects the absence of direct system compromise or availability impact, the vulnerability warrants prioritization due to its silent nature and high business risk. Data exfiltration into observability systems is often undetected for extended periods. Organizations handling regulated data (payment, healthcare, PII) should prioritize patching before the modified date (2026-06-17) to reduce the window of potential exposure. The lack of KEV listing does not diminish urgency; this is a confidentiality breach with long-tail compliance and reputational costs.
Risk score, explained
CVSS 6.5 is assigned under version 3.1. The score reflects: Network-accessible attack vector (AV:N), low attack complexity (AC:L), no authentication required (PR:N), no user interaction (UI:N), and impact limited to confidentiality and integrity within the telemetry subsystem (C:L, I:L, A:N). The scope is unchanged (S:U) because the attack does not cross security boundaries in the traditional sense; the data exfiltration occurs within the application's own observability infrastructure. However, this score does not fully capture the business risk of credential or PII exposure; organizations should weight the practical sensitivity of their telemetry content when determining internal risk appetite.
Frequently asked questions
Does this vulnerability allow attackers to read my Redis data or modify my database?
No. The vulnerability does not grant direct access to Redis or enable data manipulation. It exfiltrates sensitive values that appear in error messages into your telemetry system. If those error messages contain secrets (e.g., credentials passed in a malformed command), those secrets leak into observability backends where they may be visible to team members or external vendors.
How do I know if I've been affected or if sensitive data has leaked?
Check the version of OpenTelemetry eBPF Instrumentation running in your environment (typically visible via package managers or container image inspection). If it is version 0.9.0 or later, you are patched. If prior, query your telemetry backend for Redis error messages or exception traces containing patterns matching API keys, passwords, or PII. Review access logs on your telemetry platform to identify who has viewed traces from instrumented Redis calls.
Can I mitigate this without upgrading immediately?
Partial mitigation is possible: restrict access to your telemetry backend and reduce retention windows for sensitive observability data. However, these steps do not prevent the exfiltration itself; only upgrading to 0.9.0 stops the leakage at the source. Prioritize upgrading within your maintenance window.
Will the patch break my existing monitoring or alerts?
The patch changes how span status messages are formatted—they will no longer contain raw Redis error text. If you have alerts or dashboards that depend on parsing raw error text from spans, you may need to adjust those queries or rules. Review your observability configuration after upgrading and test in a staging environment first.
This analysis is provided for informational purposes and based on data available as of the publication date. SEC.co does not warrant the accuracy or completeness of third-party vulnerability data. Organizations should verify patch availability, compatibility, and applicability to their specific deployments by consulting official OpenTelemetry advisories and vendor documentation. This advisory does not constitute legal, compliance, or financial advice. Customers handling regulated data should consult their compliance and security teams regarding notification and remediation obligations. SEC.co assumes no liability for damages arising from use or reliance on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-41184MEDIUMCalico ServiceAccount Token Exposure in CNI Logs
- CVE-2026-41185MEDIUMCalico Azure IPAM Plaintext Credential Logging Vulnerability
- CVE-2026-40619HIGHGenetec Security Center Admin Credential Disclosure (Build-Based Vulnerability)
- CVE-2026-41178MEDIUMOpenTelemetry-Go Baggage Parsing DoS Vulnerability
- CVE-2026-45287MEDIUMOpenTelemetry-Go File Descriptor Leak & Denial of Service
- CVE-2026-45676MEDIUMOpenTelemetry eBPF Instrumentation ELF Parser Denial of Service
- CVE-2026-45680MEDIUMOpenTelemetry eBPF Instrumentation CPU Exhaustion DoS
- CVE-2026-45681MEDIUMOpenTelemetry eBPF Instrumentation Memory Leak (MEDIUM)