CVE-2026-41178
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk33th percentile - higher than 33% of all known CVEs
Summary
OpenTelemetry-Go versions 1.41.0 and 1.43.0 removed raw-length rejection, causing the `Parse` function to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs.
Risk Assessment
Organizations may be vulnerable to DoS attacks that can lead to service unavailability due to processing oversized or invalid headers.
Recommendation
It is recommended to upgrade to versions 1.42.0 or 1.44.0, which fix the issue.
Original NVD description (English source)
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.

