HIGH🇵🇱 Wersja polska

CVE-2026-24051

CVSS 7.0v3.1pub. 2026-02-02upd. 2026-06-15

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Opentelemetry

    APP
    Opentelemetry
    1.21.0 – 1.40.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-39883HIGH7.3ten sam produkt

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 ...

CVE-2026-29181HIGH7.5ten sam produkt

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header...

CVE-2023-47108HIGH7.5ten sam produkt

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.3...

CVE-2023-45142HIGH7.5ten sam produkt

OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out o...

CVE-2023-43810HIGH7.5ten sam produkt

OpenTelemetry, also known as OTel for short, is a vendor-neutral open-source Observability framework for instr...